Reid
First of all, thank you trying to help me with this. I have used my "clean" laptop to change my banking passwords. The SDFix ran, but with some error windows. These may show up in the log file, but if not, it was as follows:
C:\PROGRA~1\Symantec\S32EVNT1.DLL. An installable Virtual Device Driver failed DLL initialization. Choose "Close" to terminate the application.
I had to select "Close" multiple times and even "ignore" twice. It finally completed. Please see the attached files as requested. I also included the zip file from the last ComoFix run with the CFScript text file because the automated submittal function uploaded the file to bleepingcomputer.com for analysis and I was not sure you would receive it.
As an additional note, I have noticed since running this last operation, my keyboard is not functioning properly. It seems sluggish and ocassionally misses keystrokes.
SDFix: Version 1.127
Run by David Porter on Wed 01/16/2008 at 08:06 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Service
Path:
C:\WINDOWS\SERVICE.EXE
Service - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\PROGRA~1\WINDOW~1\PROGYB~1.HTM - Deleted
C:\PROGRA~1\WINDOW~1\LAWUME~1 - Deleted
C:\WINDOWS\system32\CID - Deleted
C:\WINDOWS\system32\drivers\etc\hosts.bho - Deleted
C:\WINDOWS\system32\SvcNm - Deleted
C:\WINDOWS\system32\upds.log - Deleted
C:\WINDOWS\system32\url1 - Deleted
C:\WINDOWS\system32\url2 - Deleted
C:\WINDOWS\system32\url3 - Deleted
C:\WINDOWS\system32\wscmp.dll.tmp - Deleted
Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\svcd - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-01-16 20:29:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\xe6H\xf5w\17\xe6\1]
"DisplayName"="\t"
"DeviceDesc"="\t"
"ProviderName"=""
"MFG"="\xe5c"
"ReinstallString"="2002, 6.13.10.6094"
"DeviceInstanceIds"=str(7):""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5A258FBD-3BF0-D182-E84D-9632ED1508AF}]
"abcdndobacdkjheeihghiopanifgcaikai"=hex:61,61,00,00
"bbcdndobacdkjheeihdhbmggbcljkmjbgmno"=hex:61,61,00,00
scanning hidden files ...
C:\WINDOWS\Temp\JET93AF.tmp
C:\WINDOWS\Temp\JET99CB.tmp
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Finished!
ComboFix 08-01-16.3 - David Porter 2008-01-16 20:58:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.556 [GMT -6:00]
Running from: C:\Documents and Settings\David Porter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Porter\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbintell.sys
C:\WINDOWS\system32\wscmp.dll.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\bak
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\bak\AdobeUpdateManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
C:\Program Files\ATI Multimedia\main\bak
C:\Program Files\ATI Multimedia\main\bak\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE
C:\Program Files\Brother\Brmfl04a\bak
C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe
C:\Program Files\Brother\ControlCenter2\bak
C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\qttask .exe
C:\Program Files\Windows Media Player\bak
C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe
C:\Temp
C:\Temp\Ryuan1\tepU.log
C:\Temp\Thumbs.db
C:\temp\tn3
C:\Temp\WMALog.txt
C:\VundoFix Backups
C:\VundoFix Backups\cbeeg.ini.bad
C:\VundoFix Backups\cbeeg.ini2.bad
C:\VundoFix Backups\geebc.dll.bad
C:\VundoFix Backups\iifghfe.dll.bad
C:\VundoFix Backups\vtussqq.dll.bad
C:\WINDOWS\bak
C:\WINDOWS\bak\NewMixer.exe
C:\WINDOWS\RGF2aWQgUG9ydGVy
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\ezSP_Px.exe
C:\WINDOWS\system32\bak\PSDrvCheck.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\che9\farstadcom2.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbintell.sys
C:\WINDOWS\system32\edcA18
C:\WINDOWS\system32\edcA18\edcA182328.exe
C:\WINDOWS\system32\memomfmg.dll
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\nz0\jetzcomz22.exe
C:\WINDOWS\system32\rushpugr.exe
C:\WINDOWS\system32\vt8
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_HBJK
-------\HBJK
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.
2008-01-16 19:12 . 2008-01-16 19:13 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 14:47 . 2008-01-16 14:48 <DIR> d-------- C:\Documents and Settings\Rodney\Application Data\AVG7
2008-01-15 20:11 . 2008-01-15 20:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 20:11 . 2008-01-16 18:31 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\AVG7
2008-01-15 19:52 . 2008-01-16 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-15 19:05 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-15 19:05 . 2008-01-15 16:02 211 --a------ C:\Boot.bak
2008-01-15 19:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Deckard
2008-01-13 19:40 . 2008-01-13 19:40 <DIR> d-------- C:\Documents and Settings\Rodney\Application Data\Grisoft
2008-01-13 18:52 . 2008-01-13 18:52 <DIR> d-------- C:\Program Files\Common Files\RuleSpace
2008-01-13 18:51 . 2008-01-13 18:51 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-01-13 11:07 . 2008-01-13 11:07 2,230 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 19:44 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-12 12:41 . 2008-01-12 12:41 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\Grisoft
2008-01-12 12:41 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-12 12:25 . 2008-01-15 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 18:47 . 2008-01-11 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 18:46 . 2008-01-11 18:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 17:18 . 2008-01-11 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 17:03 . 2008-01-11 17:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 17:03 . 2008-01-11 17:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 22:03 . 2008-01-16 20:58 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-09 22:15 . 2008-01-09 22:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-09 22:10 . 2008-01-11 16:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 15:01 . 2008-01-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-01-05 15:00 . 2008-01-05 15:00 <DIR> d-------- C:\Program Files\Cox
2008-01-05 14:40 . 2008-01-13 18:50 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-12-26 19:06 . 2007-12-26 19:06 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\MySpace
2007-12-20 22:33 . 2008-01-16 20:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 22:33 . 2007-12-20 22:33 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\SUPERAntiSpyware.com
2007-12-20 22:33 . 2007-12-20 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 22:32 . 2008-01-11 17:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 21:54 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-18 21:51 . 2007-12-18 22:07 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\HouseCall 6.6
2007-12-18 21:29 . 2007-12-18 21:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 08:54 . 2007-12-18 08:54 319,488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 03:01 --------- d-----w C:\Program Files\QuickTime
2008-01-11 23:18 --------- d-----w C:\Program Files\Lavasoft
2008-01-11 23:04 --------- d-----w C:\Documents and Settings\David Porter\Application Data\FrostWire
2008-01-11 22:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 04:42 --------- d-----w C:\Program Files\FrostWire
2008-01-09 19:51 --------- d-----w C:\Program Files\Incomplete
2008-01-06 13:51 --------- d-----w C:\Program Files\FinePixViewer
2007-12-21 23:15 --------- d-----w C:\Program Files\Ares
2007-12-20 00:44 469,600 ----a-w C:\Documents and Settings\David Porter\Application Data\GDIPFONTCACHEV1.DAT
2007-12-19 01:22 --------- d-----w C:\Program Files\Spytech Software
2007-12-19 01:22 --------- d-----w C:\Program Files\Motive
2007-12-19 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 01:58 --------- d-----w C:\Program Files\Alienrazor Interactive
2007-12-07 01:16 --------- d-----w C:\Documents and Settings\Rodney Porter\Application Data\MySpace
2007-12-02 22:16 --------- d-----w C:\Program Files\AskSBar
2007-12-02 04:43 --------- d-----w C:\Documents and Settings\David Porter\Application Data\MP3Rocket
2007-12-02 04:35 --------- d-----w C:\Program Files\PFConfig
2007-12-02 02:25 --------- d-----w C:\Program Files\Java
2007-11-29 02:29 --------- d-----w C:\Program Files\Google
2007-11-28 04:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-28 04:53 --------- d-----w C:\Program Files\tunebite
2007-11-28 04:53 --------- d-----w C:\Program Files\Pegasys Inc
2007-11-28 04:44 --------- d-----w C:\Program Files\Hunting Unlimited
2007-11-28 04:42 --------- d-----w C:\Program Files\321Studios
2007-11-28 04:40 --------- d-----w C:\Program Files\DeductionPro 2006
2007-11-28 04:40 --------- d-----w C:\Program Files\AviSynth 2.5
2007-11-28 04:39 --------- d-----w C:\Program Files\Zittware
2007-11-28 04:35 --------- d-----w C:\Program Files\3D Live Pool
2007-11-22 13:31 --------- d-----w C:\Program Files\Simply Safe Backup 2005
2007-02-20 02:51 30,615 ----a-w C:\Documents and Settings\David Porter\x.exe
2003-09-17 22:24 560 ------w C:\Program Files\Global.sw
2005-12-19 17:34 56 --sh--r C:\WINDOWS\system32\3676101CED.sys
.
((((((((((((((((((((((((((((( snapshot_2008-01-15_19.39.10.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 01:04:00 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000001\ntuser.dat
+ 2008-01-17 02:57:45 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000001\ntuser.dat
- 2008-01-16 01:04:00 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000002\UsrClass.dat
+ 2008-01-17 02:57:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000002\UsrClass.dat
- 2008-01-16 01:04:01 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000003\ntuser.dat
+ 2008-01-17 02:57:45 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000003\ntuser.dat
- 2008-01-16 01:04:01 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000004\UsrClass.dat
+ 2008-01-17 02:57:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000004\UsrClass.dat
- 2008-01-16 01:04:01 10,121,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000005\ntuser.dat
+ 2008-01-17 02:57:46 10,121,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000005\ntuser.dat
- 2008-01-16 01:04:01 450,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000006\UsrClass.dat
+ 2008-01-17 02:57:46 450,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\
00000006\UsrClass.dat
+ 2008-01-16 00:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-17 01:14:10 10,121,216 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000001\ntuser.dat
+ 2008-01-17 01:14:10 450,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000002\UsrClass.dat
+ 2008-01-16 00:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-17 01:13:30 10,121,216 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\
00000001\ntuser.dat
+ 2008-01-17 01:13:30 450,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\
00000002\UsrClass.dat
- 2001-08-23 12:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
+ 2001-08-18 19:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
- 2008-01-12 18:25:31 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-01-16 02:11:04 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
- 2008-01-12 18:25:36 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-01-16 02:11:09 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
- 2008-01-12 18:25:36 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-01-16 02:11:10 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
- 2008-01-12 18:25:37 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-16 02:11:11 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2008-01-12 18:25:37 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-16 02:11:11 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-17 03:05:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_264.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-02 16:16 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\iifghfe.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{2C0A5F28-48D8-408B-9172-9C6121025BCE}
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-12-02 16:16 267592]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [ ]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-12 12:18 1318912]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [2008-01-12 12:18 61440]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTXFIREG"="CTxfiReg.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2008-01-12 12:18 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-12 12:18 851968]
"Auto Run Software for Photo Frame"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 20:10 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-15 20:11 219136]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2006-12-28 17:19:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-17 19:31:46]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-03-04 17:42:12]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sfklg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\geebc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"service"=2 (0x2)
"bgsvcgen"=2 (0x2)
"AresChatServer"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 13:41]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 08:45]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-01-08 10:16]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 13:41]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-01-31 17:39]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS [2002-06-23 22:31]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-01-31 17:39]
R3 st3bus28;st3bus28;C:\WINDOWS\system32\DRIVERS\st3bus28.sys [2002-12-28 11:16]
R3 st3mp28;st3mp28;C:\WINDOWS\system32\DRIVERS\st3mp28.sys [2002-12-28 11:16]
S0 c2scsi;c2scsi;C:\WINDOWS\system32\DRIVERS\c2scsi.sys []
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S1 usbintell;usbintell;C:\WINDOWS\system32\drivers\usbintell.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-08-29 14:07]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys []
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]
S3 VICHW00;VICHW00;C:\WINDOWS\SYSTEM32\DRIVERS\VICHW00.SYS []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-01-16 21:08:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2008-01-16 21:16:10 - machine was rebooted [David Porter]
ComboFix-quarantined-files.txt 2008-01-17 03:16:07
ComboFix2.txt 2008-01-16 01:40:01
ComboFix3.txt 2007-12-22 00:56:28
ComboFix4.txt 2007-12-22 00:44:20
.
2008-01-10 03:59:57 --- E O F ---