Jump to content


Photo
- - - - -

Cannot Run Malwarebytes, SAS, HijackThis, Ad-Aware, McAfee, or Defender


  • This topic is locked This topic is locked
28 replies to this topic

#1 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 31 August 2011 - 08:06 PM

Hey all,

I am running Windows XP Home Edition. As of yesterday, I noticed that my Google.com search results were getting redirected to new pages without modifying the address in the address bar. Some of the titles of the sites appeared to be "SpywareSecurityProtection.com," "validClick," "4dayaweek.com," and "ForLess.com." If I directly type an address into the address bar, then this rerouting does not occur.

Logically, I started pulling up the anti-spyware/malware programs and HijackThis. HijackThis did not open and posted an error message saying, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I was running the 2.0.2 version of HijackThis so that I downloaded the newer version and I got the same response.

I have Spybot - Search & Destroy and tried running that next. It opened, I was able to update it, and the scan showed "Microsoft.Windows.RedirectedHosts." I fixed this file and rebooted, but I was still having the same issues.

I next tried running the On Demand Scan from McAfee and that will not even open and the On Access Scan is permanently disabled despite me trying to enable it.

I opened my copy of Malwarebytes and I am able to update it, but the scanner disappears and will not reopen after about 15 seconds. When I try opening the program again, I see "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Despite this, Malwarebytes appears to be running in the background and shows up in my Taskbar.

Ad-Aware is having similar issues. The message I get when trying to open that program is "System error: 1810 has occurred. Description: Service is not online. Application terminates."

I downloaded Windows Defender and that application will not open. The error message I get is "Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually." Obviously, restarting did not help this problem.

The next program I downloaded and tried was SUPER Anti-Spyware. The error message I get for this one is "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I tried running this programs in Safe Mode to no avail.

I was looking at some similar problems on the threads here and I came across exehelper in hopes of getting the anti-spyware/malware programs to run. I ran the program and rebooted, but that did not seem to help. Here is my log:

exeHelper by Raktor
Build 20100414
Run at 15:34:41 on 08/31/11
Now searching...
Checking for numerical processes...
Killed numerical process 2021518833:236094087
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

As you can see, the 2021518833:236094087 process (uses a constant 1,892 K of memory) bothers me in my Task Manager, but I cannot get the program to stop running, nor am I able to find/delete it manually.



In summary, Google.com searches reroute to other websites without changing the address in the address bar; Malwarebytes, HijackThis, SAS, Ad-Aware, McAfee, and Windows Defender all will not open or will not allow me to do a system scan; and Spybot - Search & Destroy runs the scanner but does not detect anything that fixes the problem.

According to your posting guidelines, I ran the Defogger (which worked fine), and the dds.scr (log below), but the GMER Rootkit Scanner disappears about 30 seconds after I start the scan and I am unable to reopen it unless I download a new, randomly generated .exe file.

Can anyone help me with what I should do next?

Thanks!

Best,

Maelski

Here is the dds.txt log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Run by Me at 20:43:31 on 2011-08-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1095 [GMT -4:00]
.
AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\2021518833:236094087.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
StartupFolder: c:\docume~1\ryanfr~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{4D3882EF-677F-4FC3-ADC7-C221D961E4E2} : DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{F6BC5305-F669-451C-BC20-EC2879F79CE1} : DhcpNameServer = 68.87.71.230 68.87.73.246
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Trend Micro Anti-Spyware Shell Extension: {03a80b1d-5c6a-42c2-9dfb-81b6005d8023} - c:\program files\trend micro\tmas\sshook.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\ryan fredericks\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\mozill~1\plugins\NPSWF32.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\mozilla firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-11-17 611664]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-31 366640]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-17 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-5 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-31 22712]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-17 72264]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-17 168776]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-6-10 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-6-10 226304]
S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-17 34152]
S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [2010-7-19 103424]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [2010-7-19 103424]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-17 1119888]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-09-01 00:15:08 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-31 23:52:01 43408 --sha-w- c:\windows\system32\c_83943.nl_
2011-08-31 20:56:49 840704 ----a-w- c:\documents and settings\all users\application data\defender.exe
2011-08-31 20:13:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 20:13:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 20:13:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 17:44:49 -------- d-----w- c:\documents and settings\ryan fredericks\application data\SUPERAntiSpyware.com
2011-08-31 17:44:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-31 17:44:32 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-31 17:14:47 -------- d-----w- C:\VundoFix Backups
2011-08-31 16:53:01 7152464 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\updates\mpengine.dll
2011-08-31 16:53:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-30 22:49:18 388096 ----a-r- c:\documents and settings\ryan fredericks\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-30 20:42:45 -------- d-----w- C:\spoolerlogs
2011-08-30 20:31:04 4194304 ----a-w- c:\windows\system32\wxaetreo.dll
2011-08-30 20:30:44 -------- d-----w- c:\documents and settings\ryan fredericks\application data\Remote
2011-08-25 19:24:02 -------- d-----w- c:\documents and settings\ryan fredericks\application data\DDMSettings
2011-08-15 11:10:46 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-09-01 00:41:05 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp
2011-09-01 00:24:50 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-01 00:16:08 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-31 21:17:07 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-31 17:32:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2011-08-30 20:46:12 143428 ----a-w- c:\windows\system32\nvsvc32.exe
2011-08-16 22:36:04 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 20:50:47.28 ===============

#2 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 03 September 2011 - 12:02 AM

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 03 September 2011 - 10:44 PM

Hi screen317,

Thanks for helping. Attached is the ComboFix.txt.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Run by Ryan Fredericks at 23:36:43 on 2011-09-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.777 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\ryanfr~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{4D3882EF-677F-4FC3-ADC7-C221D961E4E2} : DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{F6BC5305-F669-451C-BC20-EC2879F79CE1} : DhcpNameServer = 68.87.71.230 68.87.73.246
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\ryan fredericks\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\mozilla firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-11-17 611664]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-31 366640]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-17 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 139264]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-5 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-31 22712]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-17 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-17 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-17 168776]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-6-10 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-6-10 226304]
S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [2010-7-19 103424]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [2010-7-19 103424]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-17 1119888]
.
=============== Created Last 30 ================
.
2011-09-04 02:50:03 -------- d-sha-r- C:\cmdcons
2011-09-04 02:43:55 98816 ----a-w- c:\windows\sed.exe
2011-09-04 02:43:55 518144 ----a-w- c:\windows\SWREG.exe
2011-09-04 02:43:55 256000 ----a-w- c:\windows\PEV.exe
2011-09-04 02:43:55 208896 ----a-w- c:\windows\MBR.exe
2011-09-01 19:33:35 -------- d-----w- c:\program files\ESET
2011-09-01 00:15:08 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-31 23:52:01 43408 --sha-w- c:\windows\system32\c_83943.nl_
2011-08-31 20:13:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 20:13:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 20:13:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 17:44:49 -------- d-----w- c:\documents and settings\ryan fredericks\application data\SUPERAntiSpyware.com
2011-08-31 17:44:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-31 17:44:32 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-31 17:32:52 951291 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\remregfix.reg
2011-08-31 17:32:52 896 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\databasepath.reg
2011-08-31 17:32:52 890 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\Remove-itRestorePoint.vbs
2011-08-31 17:32:52 5228 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\nfig.reg
2011-08-31 17:32:52 4994 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\s.reg
2011-08-31 17:32:52 4512 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\hpregfix.reg
2011-08-31 17:32:52 3008 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\bgregfix.reg
2011-08-31 17:32:52 2600 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\exefix.reg
2011-08-31 17:32:52 18308 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\IEDef.reg
2011-08-31 17:32:52 1754 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\regf.reg
2011-08-31 17:14:47 -------- d-----w- C:\VundoFix Backups
2011-08-31 16:53:01 7152464 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\updates\mpengine.dll
2011-08-31 16:53:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-30 22:49:18 388096 ----a-r- c:\documents and settings\ryan fredericks\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-30 20:42:45 -------- d-----w- C:\spoolerlogs
2011-08-30 20:31:04 4194304 ----a-w- c:\windows\system32\wxaetreo.dll
2011-08-30 20:30:44 -------- d-----w- c:\documents and settings\ryan fredericks\application data\Remote
2011-08-25 19:24:02 -------- d-----w- c:\documents and settings\ryan fredericks\application data\DDMSettings
2011-08-15 11:10:46 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-09-01 00:41:05 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp
2011-09-01 00:24:50 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-01 00:16:08 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-31 21:17:07 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-31 17:32:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2011-08-30 20:46:12 143428 ----a-w- c:\windows\system32\nvsvc32.exe
2011-08-16 22:36:04 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 23:42:44.95 ===============

#4 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 07 September 2011 - 02:02 PM

Hi,

Nothing was attached to your post.


Please just copy and paste it to your reply instead.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 07 September 2011 - 06:03 PM

Ah- my apologies. I believe I forgot to click the "Attach This File" button. I attached it again, but I also pasted it to make sure that you get it. Thanks!

ComboFix 11-09-03.01 - Ryan Fredericks 09/03/2011 23:02:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1374 [GMT -4:00]
Running from: c:\documents and settings\Ryan Fredericks\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini
c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
c:\documents and settings\All Users\Application Data\h8srtmainqt.dll
c:\documents and settings\All Users\Application Data\sysReserve.ini
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini
c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini
c:\documents and settings\LocalService\Application Data\6ccb.log
c:\documents and settings\LocalService\Application Data\LocalAccountAuthority.bat
c:\documents and settings\LocalService\Application Data\Plug.bat
c:\documents and settings\NetworkService\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\NetworkService\Local Settings\Application Data\ApplicationHistory\mswmccds.exe.5bdff540.ini
c:\documents and settings\Ryan Fredericks\Application Data\6ccb.log
c:\documents and settings\Ryan Fredericks\Application Data\Remote\mnj.dat
c:\documents and settings\Ryan Fredericks\Application Data\Remote\owlctx
c:\documents and settings\Ryan Fredericks\Application Data\Remote\srjmh47_shrd
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\HPQDocViewer.exe.100bbc94.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\mswmc.exe.ed1fcd7a.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\VSC.exe.7b5a1892.ini.inuse
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\beep.sys
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\scan.exe
c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\tskill.exe
c:\documents and settings\Ryan Fredericks\WINDOWS
C:\Install.exe
c:\windows\$NtUninstallKB29546$
c:\windows\$NtUninstallKB29546$\1828321174
c:\windows\$NtUninstallKB29546$\4058873208\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB29546$\4058873208\click.tlb
c:\windows\$NtUninstallKB29546$\4058873208\L\wxaetreo
c:\windows\$NtUninstallKB29546$\4058873208\loader.tlb
c:\windows\$NtUninstallKB29546$\4058873208\U\@00000001
c:\windows\$NtUninstallKB29546$\4058873208\U\@000000c0
c:\windows\$NtUninstallKB29546$\4058873208\U\@000000cb
c:\windows\$NtUninstallKB29546$\4058873208\U\@000000cf
c:\windows\$NtUninstallKB29546$\4058873208\U\@80000000
c:\windows\$NtUninstallKB29546$\4058873208\U\@800000c0
c:\windows\$NtUninstallKB29546$\4058873208\U\@800000cb
c:\windows\$NtUninstallKB29546$\4058873208\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\bwUnin-7.2.0.157-8876480SL.exe
c:\windows\bwUnin-8.1.1.50-8876480SL.exe
c:\windows\dasetup.log
c:\windows\kb835221.exe
c:\windows\ST6UNST.000
c:\windows\system32\comct332.ocx
c:\windows\windows-kb870669-x86-enu.exe
c:\windows\windowsinstaller-kb893803-v2-x86.exe
c:\windows\windowsxp-kb307154-x86-enu.exe
c:\windows\windowsxp-kb873339-x86-enu.exe
c:\windows\windowsxp-kb884018-x86-enu.exe
c:\windows\windowsxp-kb884575-x86-enu.exe
c:\windows\windowsxp-kb885250-x86-enu.exe
c:\windows\windowsxp-kb885835-x86-enu.exe
c:\windows\windowsxp-kb885836-x86-enu.exe
c:\windows\windowsxp-kb886185-x86-enu.exe
c:\windows\windowsxp-kb887472-x86-enu.exe
c:\windows\windowsxp-kb887742-x86-enu.exe
c:\windows\windowsxp-kb888113-x86-enu.exe
c:\windows\windowsxp-kb888239-x86-enu.exe
c:\windows\windowsxp-kb888302-x86-enu.exe
c:\windows\windowsxp-kb888321-x86-enu.exe
c:\windows\windowsxp-kb890046-x86-enu.exe
c:\windows\windowsxp-kb890859-x86-enu.exe
c:\windows\windowsxp-kb891781-x86-enu.exe
c:\windows\WindowsXP-KB893056-x86-ENU.exe
c:\windows\windowsxp-kb893066-v2-x86-enu.exe
c:\windows\windowsxp-kb893357-v2-x86-enu.exe
c:\windows\windowsxp-kb893756-x86-enu.exe
c:\windows\windowsxp-kb894391-x86-enu.exe
c:\windows\windowsxp-kb896358-x86-enu.exe
c:\windows\windowsxp-kb896422-x86-enu.exe
c:\windows\windowsxp-kb896423-x86-enu.exe
c:\windows\windowsxp-kb896424-x86-enu.exe
c:\windows\windowsxp-kb896428-x86-enu.exe
c:\windows\windowsxp-kb896688-x86-enu.exe
c:\windows\windowsxp-kb896727-x86-enu.exe
c:\windows\windowsxp-kb899587-x86-enu.exe
c:\windows\windowsxp-kb899588-x86-enu.exe
c:\windows\windowsxp-kb899589-x86-enu.exe
c:\windows\windowsxp-kb899591-x86-enu.exe
c:\windows\windowsxp-kb900466-x86-enu.exe
c:\windows\windowsxp-kb900725-x86-enu.exe
c:\windows\windowsxp-kb901017-x86-enu.exe
c:\windows\windowsxp-kb901214-x86-enu.exe
c:\windows\windowsxp-kb902400-x86-enu.exe
c:\windows\windowsxp-kb903235-x86-enu.exe
c:\windows\windowsxp-kb904706-x86-enu.exe
c:\windows\windowsxp-kb905414-x86-enu.exe
c:\windows\windowsxp-kb905749-x86-enu.exe
c:\windows\windowsxp-kb905915-x86-enu.exe
c:\windows\windowsxp-kb908519-x86-enu.exe
c:\windows\windowsxp-kb908531-x86-enu.exe
c:\windows\windowsxp-kb909667-x86-enu.exe
c:\windows\windowsxp-kb910728-x86-enu.exe
c:\windows\windowsxp-kb911562-x86-enu.exe
c:\windows\windowsxp-kb912812-x86-enu.exe
c:\windows\windowsxp-kb912919-x86-enu.exe
c:\windows\windowsxp-kb912945-x86-enu.exe
.
c:\windows\system32\drivers\tosrfcom.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_f1ed7d78
.
.
((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))
.
.
2011-09-01 19:33 . 2011-09-01 19:33 -------- d-----w- c:\program files\ESET
2011-09-01 00:15 . 2011-09-01 00:15 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-31 23:52 . 2011-09-01 00:26 43408 --sha-w- c:\windows\system32\c_83943.nl_
2011-08-31 20:13 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 20:13 . 2011-08-31 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 20:13 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\SUPERAntiSpyware.com
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-31 17:32 . 2011-08-31 17:32 951291 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\remregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 896 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\databasepath.reg
2011-08-31 17:32 . 2011-08-31 17:32 890 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\Remove-itRestorePoint.vbs
2011-08-31 17:32 . 2011-08-31 17:32 5228 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\nfig.reg
2011-08-31 17:32 . 2011-08-31 17:32 4994 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\s.reg
2011-08-31 17:32 . 2011-08-31 17:32 4512 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\hpregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 3008 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\bgregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 2600 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\exefix.reg
2011-08-31 17:32 . 2011-08-31 17:32 18308 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\IEDef.reg
2011-08-31 17:32 . 2011-08-31 17:32 1754 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\regf.reg
2011-08-31 17:14 . 2011-08-31 17:14 -------- d-----w- C:\VundoFix Backups
2011-08-31 16:53 . 2011-08-16 12:48 7152464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-08-31 16:53 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-31 16:51 . 2011-08-31 16:51 -------- d-----w- c:\program files\Windows Defender
2011-08-30 22:24 . 2011-08-30 22:24 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-30 20:42 . 2011-08-30 20:42 -------- d-----w- C:\spoolerlogs
2011-08-30 20:31 . 2011-08-30 20:31 4194304 ----a-w- c:\windows\system32\wxaetreo.dll
2011-08-30 20:30 . 2011-09-04 03:14 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\Remote
2011-08-25 19:24 . 2011-08-25 19:24 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\DDMSettings
2011-08-15 11:10 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-01 00:41 . 2006-06-11 00:02 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp
2011-09-01 00:24 . 2006-06-10 23:52 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-01 00:16 . 2004-08-03 23:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-31 21:17 . 2004-08-03 22:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-31 17:32 . 2006-06-10 23:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2011-08-30 22:49 . 2011-08-30 22:49 388096 ----a-r- c:\documents and settings\Ryan Fredericks\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-30 20:46 . 2006-06-10 23:52 143428 ----a-w- c:\windows\system32\nvsvc32.exe
2011-08-16 22:36 . 2011-05-25 22:20 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-06-10 23:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-06-10 23:52 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2006-06-11 00:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2009-07-04 16:08 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2006-06-10 23:52 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2006-06-10 23:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2006-06-10 23:52 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2006-06-10 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-25 273544]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\Ryan Fredericks\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-13 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-8-25 528384]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 22:11 640440 -c--a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-06-08 00:54 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-11-18 03:47 118784 -c--a-w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-17 01:58 47392 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMon Utility]
2006-03-15 17:55 40960 -c--a-w- c:\program files\Sony\AppMonUtil\AppMonUtility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 08:49 318096 -c--a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DirectPlayerCore]
2009-09-24 21:45 1150016 -c--a-w- c:\program files\NBC Direct\DirectPlayerCore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExecAfterFirstBoot]
2005-03-16 18:22 204800 -c--a-w- c:\windows\SONYSYS\EFlyer\ExecAfterFirstBoot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-20 17:10 50792 -c--a-w- c:\program files\Common Files\AOL\1150570943\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-15 15:18 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-02-21 23:59 143360 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 21:12 32768 -c--a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 22:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-13 15:42 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-07-23 03:25 28160 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-07-19 14:05 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-08 14:50 7561216 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-08 14:50 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 -c--a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2006-01-26 09:28 212992 -c--a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-24 23:53 1242448 -c--a-w- c:\progra~1\Valve\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
2005-11-24 18:47 167936 -c--a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:08 28672 -c--a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2005-10-12 04:36 151552 -c--a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-01 09:20 69632 -c--a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2005-06-13 22:42 258048 -c--a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2011-08-30 20:47 111816 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
2006-11-01 18:19 145072 -c--a-w- c:\program files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Image Converter video recording monitor for VAIO Entertainment"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"gusvc"=2 (0x2)
"OpenCASE Media Agent"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Adobe Version Cue CS4"=3 (0x3)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"Pharos Systems ComTaskMaster"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58306:TCP"= 58306:TCP:PandoRest Listening Port
"57232:TCP"= 57232:TCP:PandoRest Listening Port
"56666:TCP"= 56666:TCP:PandoRest Listening Port
"57541:TCP"= 57541:TCP:PandoRest Listening Port
"58998:TCP"= 58998:TCP:PandoRest Listening Port
"57251:TCP"= 57251:TCP:Pando Media Booster
"57251:UDP"= 57251:UDP:Pando Media Booster
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"56903:TCP"= 56903:TCP:Pando Media Booster
"56903:UDP"= 56903:UDP:Pando Media Booster
"58433:TCP"= 58433:TCP:Pando Media Booster
"58433:UDP"= 58433:UDP:Pando Media Booster
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56396:TCP"= 56396:TCP:Pando Media Booster
"56396:UDP"= 56396:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"6979:TCP"= 6979:TCP:League of Legends Launcher
"6979:UDP"= 6979:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"6983:TCP"= 6983:TCP:League of Legends Launcher
"6983:UDP"= 6983:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/31/2011 4:13 PM 366640]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/5/2008 11:25 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/31/2011 4:13 PM 22712]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [6/10/2006 7:52 PM 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [6/10/2006 7:52 PM 226304]
S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [7/19/2010 10:37 AM 103424]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [7/19/2010 10:37 AM 103424]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/2/2009 4:23 PM 717296]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-09-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1558351877-522379458-2971586956-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-09-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1558351877-522379458-2971586956-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Ryan Fredericks\Application Data\Mozilla\Firefox\Profiles\uh4vz55x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
ShellExecuteHooks-{03A80B1D-5C6A-42c2-9DFB-81B6005D8023} - c:\program files\Trend Micro\Tmas\sshook.dll
SafeBoot-19969215.sys
SafeBoot-71246523.sys
SafeBoot-71895782.sys
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-extrac64_cab - c:\docume~1\RYANFR~1\LOCALS~1\Temp\extrac64_cab.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-Malware Defense - c:\program files\Malware Defense\mdefense.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
AddRemove-BlitzMail - c:\windows\unvise32.exe
AddRemove-{319D9385-EEC1-4ae5-BFD1-C5DE1E063F30} - c:\program files\Trend Micro\Tmas\tmas.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-03 23:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdrom]
"ImagePath"="system32\drivers\tsk9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1200)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\VESWinlogon.dll
.
- - - - - - - > 'explorer.exe'(4664)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-03 23:26:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-04 03:26
.
Pre-Run: 18,547,580,928 bytes free
Post-Run: 18,292,645,888 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 886ADCE6233F8F72A7F31B50578C5D5A

Attached Files



#6 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 08 September 2011 - 04:18 PM

Before we continue, please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\tosrfcom.sys


Post the results in your reply.


Also zip up that file and attach it to your reply.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 08 September 2011 - 06:58 PM

Hello screen317,

Two things:

1. I cannot access VirusTotal.com on this computer. The virus appears to be completely blocking the site.
2. That being said, I attempted to search for the tosrfcom.sys file so that I could upload the file via another computer, but I cannot find that file manually or through the Search function on Windows.

I ran ComboFix again to see what it would come up with; the log is below. What should I do next?



ComboFix 11-09-08.03 - Ryan Fredericks 09/08/2011 19:40:24.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1399 [GMT -4:00]
Running from: c:\documents and settings\Ryan Fredericks\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\setupapi.log
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-01 19:33 . 2011-09-01 19:33 -------- d-----w- c:\program files\ESET
2011-09-01 00:15 . 2011-09-01 00:15 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-31 23:52 . 2011-09-01 00:26 43408 --sha-w- c:\windows\system32\c_83943.nl_
2011-08-31 20:13 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 20:13 . 2011-08-31 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 20:13 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\SUPERAntiSpyware.com
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-31 17:32 . 2011-08-31 17:32 951291 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\remregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 896 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\databasepath.reg
2011-08-31 17:32 . 2011-08-31 17:32 890 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\Remove-itRestorePoint.vbs
2011-08-31 17:32 . 2011-08-31 17:32 5228 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\nfig.reg
2011-08-31 17:32 . 2011-08-31 17:32 4994 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\s.reg
2011-08-31 17:32 . 2011-08-31 17:32 4512 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\hpregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 3008 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\bgregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 2600 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\exefix.reg
2011-08-31 17:32 . 2011-08-31 17:32 18308 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\IEDef.reg
2011-08-31 17:32 . 2011-08-31 17:32 1754 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\regf.reg
2011-08-31 17:14 . 2011-08-31 17:14 -------- d-----w- C:\VundoFix Backups
2011-08-31 16:53 . 2011-08-16 12:48 7152464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-08-31 16:53 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-31 16:51 . 2011-08-31 16:51 -------- d-----w- c:\program files\Windows Defender
2011-08-30 22:49 . 2011-08-30 22:49 388096 ----a-r- c:\documents and settings\Ryan Fredericks\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-30 22:24 . 2011-08-30 22:24 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-30 20:42 . 2011-08-30 20:42 -------- d-----w- C:\spoolerlogs
2011-08-30 20:31 . 2011-08-30 20:31 4194304 ----a-w- c:\windows\system32\wxaetreo.dll
2011-08-30 20:30 . 2011-09-04 03:14 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\Remote
2011-08-25 19:24 . 2011-08-25 19:24 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\DDMSettings
2011-08-15 11:10 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-01 00:41 . 2006-06-11 00:02 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp
2011-09-01 00:24 . 2006-06-10 23:52 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-01 00:16 . 2004-08-03 23:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-31 21:17 . 2004-08-03 22:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-31 17:32 . 2006-06-10 23:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2011-08-30 20:46 . 2006-06-10 23:52 143428 ----a-w- c:\windows\system32\nvsvc32.exe
2011-08-16 22:36 . 2011-05-25 22:20 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-06-10 23:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-06-10 23:52 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2006-06-11 00:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2009-07-04 16:08 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2006-06-10 23:52 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2006-06-10 23:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2006-06-10 23:52 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2006-06-10 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-04_03.18.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-08 21:40 . 2011-09-08 21:40 16384 c:\windows\Temp\Perflib_Perfdata_980.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-25 273544]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\Ryan Fredericks\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-13 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-8-25 528384]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 22:11 640440 -c--a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-06-08 00:54 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-11-18 03:47 118784 -c--a-w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-17 01:58 47392 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMon Utility]
2006-03-15 17:55 40960 -c--a-w- c:\program files\Sony\AppMonUtil\AppMonUtility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 08:49 318096 -c--a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DirectPlayerCore]
2009-09-24 21:45 1150016 -c--a-w- c:\program files\NBC Direct\DirectPlayerCore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExecAfterFirstBoot]
2005-03-16 18:22 204800 -c--a-w- c:\windows\SONYSYS\EFlyer\ExecAfterFirstBoot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-20 17:10 50792 -c--a-w- c:\program files\Common Files\AOL\1150570943\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-15 15:18 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-02-21 23:59 143360 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 21:12 32768 -c--a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 22:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-13 15:42 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-07-23 03:25 28160 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-07-19 14:05 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-08 14:50 7561216 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-08 14:50 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 -c--a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2006-01-26 09:28 212992 -c--a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-24 23:53 1242448 -c--a-w- c:\progra~1\Valve\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
2005-11-24 18:47 167936 -c--a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:08 28672 -c--a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2005-10-12 04:36 151552 -c--a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-01 09:20 69632 -c--a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2005-06-13 22:42 258048 -c--a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2011-08-30 20:47 111816 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
2006-11-01 18:19 145072 -c--a-w- c:\program files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Image Converter video recording monitor for VAIO Entertainment"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"gusvc"=2 (0x2)
"OpenCASE Media Agent"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Adobe Version Cue CS4"=3 (0x3)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"Pharos Systems ComTaskMaster"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58306:TCP"= 58306:TCP:PandoRest Listening Port
"57232:TCP"= 57232:TCP:PandoRest Listening Port
"56666:TCP"= 56666:TCP:PandoRest Listening Port
"57541:TCP"= 57541:TCP:PandoRest Listening Port
"58998:TCP"= 58998:TCP:PandoRest Listening Port
"57251:TCP"= 57251:TCP:Pando Media Booster
"57251:UDP"= 57251:UDP:Pando Media Booster
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"56903:TCP"= 56903:TCP:Pando Media Booster
"56903:UDP"= 56903:UDP:Pando Media Booster
"58433:TCP"= 58433:TCP:Pando Media Booster
"58433:UDP"= 58433:UDP:Pando Media Booster
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56396:TCP"= 56396:TCP:Pando Media Booster
"56396:UDP"= 56396:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"6979:TCP"= 6979:TCP:League of Legends Launcher
"6979:UDP"= 6979:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"6983:TCP"= 6983:TCP:League of Legends Launcher
"6983:UDP"= 6983:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/5/2008 11:25 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/31/2011 4:13 PM 22712]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [6/10/2006 7:52 PM 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [6/10/2006 7:52 PM 226304]
S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/31/2011 4:13 PM 366640]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [7/19/2010 10:37 AM 103424]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [7/19/2010 10:37 AM 103424]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/2/2009 4:23 PM 717296]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-09-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1558351877-522379458-2971586956-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-09-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1558351877-522379458-2971586956-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Ryan Fredericks\Application Data\Mozilla\Firefox\Profiles\uh4vz55x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-08 19:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdrom]
"ImagePath"="system32\drivers\tsk9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1196)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\VESWinlogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-09-08 19:52:09
ComboFix-quarantined-files.txt 2011-09-08 23:51
ComboFix2.txt 2011-09-04 03:26
.
Pre-Run: 18,104,324,096 bytes free
Post-Run: 18,193,494,016 bytes free
.
- - End Of File - - EB3253B0A0ADBE9E01A8F70B8CEB1848

Attached Files



#8 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 12 September 2011 - 06:43 PM

Hi,

My apologies for the delay.


Delete your copies of TDSSKiller and ComboFix. Grab fresh copies. Run TDSSKiller then immediately after, run ComboFix. Post both logs.


Please download GMER from one of the following locations and save it to your Desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOTKIT entries

Please copy and paste the report into your Post.


Are you currently connected through a router?
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 13 September 2011 - 03:34 PM

I deleted my copies of ComboFix and TDSSKiller. I ran TDSSKiller first, then ComboFix, then GMER.

Attached are the ComboFix, TDSSKiller, and GMER logs.

Also, I am currently connected through a Linksys router.

Attached File  TDSSKiller.2.5.21.0_12.09.2011_20.16.22_log.txt   94.09KB   33 downloads

Attached File  ComboFix.txt   32.63KB   35 downloads

Attached File  TDSSKiller.2.5.21.0_12.09.2011_20.16.22_log.txt   94.09KB   33 downloads


Hi,

My apologies for the delay.


Delete your copies of TDSSKiller and ComboFix. Grab fresh copies. Run TDSSKiller then immediately after, run ComboFix. Post both logs.


Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOTKIT entries

Please copy and paste the report into your Post.


Are you currently connected through a router?

Attached Files

  • Attached File  ark.txt   7.56KB   30 downloads


#10 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 13 September 2011 - 03:37 PM

My apologies for adding the TDSSKiller report twice to the post. The GMER log is attached normally at the end of the post.

#11 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 16 September 2011 - 12:54 AM

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=94249
Collect::
c:\windows\system32\c_83943.nl_
c:\windows\system32\wxaetreo.dll

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 17 September 2011 - 07:52 AM

Attached is the new ComboFix log.

Thanks for your help, screen!

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=94249
Collect::
c:\windows\system32\c_83943.nl_
c:\windows\system32\wxaetreo.dll

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Attached Files



#13 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 18 September 2011 - 12:39 AM

Looks like you have some new malware.

Please go to VirusTotal, and upload the following file(s) for analysis:
c:\windows\system32\wscui32.dll

Post the results in your reply.


Also zip up that file and attach it to your reply.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 18 September 2011 - 10:55 AM

screen317,

I usually turn off my laptop when I am done with it. That being said, when I turned it on after sending you the last log, here is what my McAfee On-Access Scan said:

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe CLSID\{1822C65C-061F-4572-B42B-3DD886988506}\InprocServer32 Generic Downloader.x!gc3 (Trojan)
9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe HKCR\CLSID\{1822C65C-061F-4572-B42B-3DD886988506}\InprocServer32 Generic Downloader.x!gc3 (Trojan)
9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe CLSID\{1822C65C-061F-4572-B42B-3DD886988506} Generic Downloader.x!gc3 (Trojan)
9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe HKCR\CLSID\{1822C65C-061F-4572-B42B-3DD886988506} Generic Downloader.x!gc3 (Trojan)
9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1822C65C-061F-4572-B42B-3DD886988506} Generic Downloader.x!gc3 (Trojan)
9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\SYSTEM32\WSCUI32.DLL Generic Downloader.x!gc3 (Trojan)
9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\wscui32.dll Generic Downloader.x!gc3 (Trojan)

Hence, McAfee deleted the file you wanted me to check. Should I just leave my laptop open or in sleep mode with all my virus protection off after I send you the next log (I will repeat your last steps again to see if we can find anything)? That way it should stop deleting the files you want me to upload. Also, I suppose I could remove McAfee from startup if you think that is safe. I am sorry this keeps occurring after we find a malicious file.

#15 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 18 September 2011 - 02:46 PM

Here is the new ComboFix log. I added the CFScript.txt to the ComboFix.exe program but this time it did not ask if I had an internet connection to submit anything. Hope I did everything correctly.

Attached Files



#16 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 22 September 2011 - 04:12 PM

Hi,


I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar


Let me know if you decided to uninstall it.


Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the box below into Notepad:

Driver::
71895782

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Post its log directly instead of attaching it. Use multiple posts if necessary.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 24 September 2011 - 09:22 AM

I uninstalled Viewpoint Manager, Viewpoint Mediaplayer, and Viewpoint Toolbar. Here is the latest log:

ComboFix 11-09-23.03 - Ryan Fredericks 09/23/2011 14:43:04.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1322 [GMT -4:00]
Running from: c:\documents and settings\Ryan Fredericks\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan Fredericks\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini
c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_71895782
.
.
((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))
.
.
2011-09-01 19:33 . 2011-09-01 19:33 -------- d-----w- c:\program files\ESET
2011-08-31 20:13 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 20:13 . 2011-08-31 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 20:13 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\SUPERAntiSpyware.com
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-31 17:32 . 2011-08-31 17:32 951291 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\remregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 896 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\databasepath.reg
2011-08-31 17:32 . 2011-08-31 17:32 890 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\Remove-itRestorePoint.vbs
2011-08-31 17:32 . 2011-08-31 17:32 5228 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\nfig.reg
2011-08-31 17:32 . 2011-08-31 17:32 4994 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\s.reg
2011-08-31 17:32 . 2011-08-31 17:32 4512 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\hpregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 3008 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\bgregfix.reg
2011-08-31 17:32 . 2011-08-31 17:32 2600 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\exefix.reg
2011-08-31 17:32 . 2011-08-31 17:32 18308 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\IEDef.reg
2011-08-31 17:32 . 2011-08-31 17:32 1754 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\regf.reg
2011-08-31 16:53 . 2011-08-16 12:48 7152464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-08-31 16:53 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-31 16:51 . 2011-08-31 16:51 -------- d-----w- c:\program files\Windows Defender
2011-08-30 22:24 . 2011-08-30 22:24 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-30 20:42 . 2011-08-30 20:42 -------- d-----w- C:\spoolerlogs
2011-08-25 19:24 . 2011-08-25 19:24 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-01 00:41 . 2006-06-11 00:02 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp
2011-09-01 00:24 . 2006-06-10 23:52 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-01 00:16 . 2004-08-03 23:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-31 21:17 . 2004-08-03 22:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-31 17:32 . 2006-06-10 23:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2011-08-30 22:49 . 2011-08-30 22:49 388096 ----a-r- c:\documents and settings\Ryan Fredericks\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-30 20:46 . 2006-06-10 23:52 143428 ----a-w- c:\windows\system32\nvsvc32.exe
2011-08-16 22:36 . 2011-05-25 22:20 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-06-10 23:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-06-10 23:52 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-25 273544]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\Ryan Fredericks\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-13 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-8-25 528384]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 22:11 640440 -c--a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-09-07 19:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-11-18 03:47 118784 -c--a-w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-03-17 01:58 47392 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMon Utility]
2006-03-15 17:55 40960 -c--a-w- c:\program files\Sony\AppMonUtil\AppMonUtility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 08:49 318096 -c--a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DirectPlayerCore]
2009-09-24 21:45 1150016 -c--a-w- c:\program files\NBC Direct\DirectPlayerCore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExecAfterFirstBoot]
2005-03-16 18:22 204800 -c--a-w- c:\windows\SONYSYS\EFlyer\ExecAfterFirstBoot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-20 17:10 50792 -c--a-w- c:\program files\Common Files\AOL\1150570943\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-15 15:18 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-02-21 23:59 143360 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 21:12 32768 -c--a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 22:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-02-13 15:42 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-07-23 03:25 28160 -c--a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-07-19 14:05 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-08 14:50 7561216 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-08 14:50 86016 -c--a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 -c--a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2006-01-26 09:28 212992 -c--a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-24 23:53 1242448 -c--a-w- c:\progra~1\Valve\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
2005-11-24 18:47 167936 -c--a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:08 28672 -c--a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2005-10-12 04:36 151552 -c--a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-01 09:20 69632 -c--a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2005-06-13 22:42 258048 -c--a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Image Converter video recording monitor for VAIO Entertainment"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"gusvc"=2 (0x2)
"OpenCASE Media Agent"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Adobe Version Cue CS4"=3 (0x3)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"Pharos Systems ComTaskMaster"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58306:TCP"= 58306:TCP:PandoRest Listening Port
"57232:TCP"= 57232:TCP:PandoRest Listening Port
"56666:TCP"= 56666:TCP:PandoRest Listening Port
"57541:TCP"= 57541:TCP:PandoRest Listening Port
"58998:TCP"= 58998:TCP:PandoRest Listening Port
"57251:TCP"= 57251:TCP:Pando Media Booster
"57251:UDP"= 57251:UDP:Pando Media Booster
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"56903:TCP"= 56903:TCP:Pando Media Booster
"56903:UDP"= 56903:UDP:Pando Media Booster
"58433:TCP"= 58433:TCP:Pando Media Booster
"58433:UDP"= 58433:UDP:Pando Media Booster
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56396:TCP"= 56396:TCP:Pando Media Booster
"56396:UDP"= 56396:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"6979:TCP"= 6979:TCP:League of Legends Launcher
"6979:UDP"= 6979:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"6983:TCP"= 6983:TCP:League of Legends Launcher
"6983:UDP"= 6983:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/31/2011 4:13 PM 366640]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/31/2011 4:13 PM 22712]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [6/10/2006 7:52 PM 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [6/10/2006 7:52 PM 226304]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [7/19/2010 10:37 AM 103424]
S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [7/19/2010 10:37 AM 103424]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/2/2009 4:23 PM 717296]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1558351877-522379458-2971586956-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-09-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1558351877-522379458-2971586956-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Ryan Fredericks\Application Data\Mozilla\Firefox\Profiles\uh4vz55x.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MSConfigStartUp-ViewpointPhotosDeviceConnect - c:\program files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 16:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdrom]
"ImagePath"="system32\drivers\tsk9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1204)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\VESWinlogon.dll
.
- - - - - - - > 'explorer.exe'(2256)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-09-23 16:47:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-23 20:47
ComboFix2.txt 2011-09-18 19:34
.
Pre-Run: 20,186,759,168 bytes free
Post-Run: 20,016,996,352 bytes free
.
- - End Of File - - 8C48EC1B44D448D42E16B669134C9A48

#18 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 27 September 2011 - 07:45 PM

Hi,

Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Next, download my Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 03 October 2011 - 03:12 PM

Hey screen317,

The ESET Scanner would not run. It said "Unexpected Error 101: ESET Scanner has already been run on this computer in the past. Only files necessary to update to the current version will be updated." After this, it pauses and never gets anywhere. I tried the downloadable version that it asks about if you try accessing it from Firefox, and that one did not work either.

I did the Security Check (while I had all my antivirus protection down). The results are pasted below.

As for symptoms, the computer seems to be running fine with no more redirection from Google. The only "issue" is that the ESET Scanner is not working. Thanks for your help!

Results of screen317's Security Check version 0.99.19
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
SonicStage Mastering Studio Audio Filter Custom Preset
McAfee VirusScan Enterprise
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
Java™ 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.3.183.10
Mozilla Firefox (Player..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise SHSTAT.EXE
``````````End of Log````````````

#20 Maelski

Maelski

    New Member

  • Members
  • Pip
  • 16 posts

Posted 03 October 2011 - 03:14 PM

Also, I can access VirusTotal.com now, whereas I was not able to do this in the past.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users