Tech Support Forum - View Single Post

ander02 · 12-05-2008, 09:24 AM

The thank you definitely goes your way, not mine! I'll stick around until you give me the all clear. Here's the log.

ComboFix 08-12-04.04 - Cory 2008-12-05 10:18:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.236 [GMT -6:00]
Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 08:16 . 2008-12-05 08:16 250 --a------ c:\windows\gmer.ini
2008-12-04 19:59 . 2008-12-04 19:59 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-04 19:59 . 2008-12-04 19:59 <DIR> d-------- c:\documents and settings\Cory\Application Data\SUPERAntiSpyware.com
2008-12-04 19:59 . 2008-12-04 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-04 19:58 . 2008-12-04 19:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 19:26 . 2008-12-04 19:27 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 19:23 . 2008-12-04 19:24 <DIR> d-------- c:\windows\ERUNT
2008-12-04 19:19 . 2008-12-04 19:38 <DIR> d-------- C:\SDFix
2008-12-04 18:59 . 2008-12-04 18:59 65,536 --a------ c:\windows\system32\drivers\TDSSljecmylt.sys
2008-12-04 18:59 . 2008-12-04 18:59 32,256 --a------ c:\windows\system32\TDSSvuctaorg.dll
2008-11-11 19:44 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:42 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 10:24 . 2008-04-13 13:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys
2008-11-11 10:24 . 2008-04-13 13:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 01:18 --------- d-----w c:\program files\Trend Micro
2008-11-06 22:15 --------- d-----w c:\program files\Mozilla Thunderbird
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-05 20:56 --------- d--h--w c:\documents and settings\Cory\Application Data\Move Networks
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-01-29 22:23 628 -c--a-w c:\documents and settings\Nicole\Application Data\wklnhst.dat
2007-04-05 02:28 56,912 -c--a-w c:\documents and settings\Cory\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_19.47.39.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 14:16:01 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-05 03:01:08 65,536 ----a-r c:\windows\Installer\{57922B53-02D4-4DFC-AC24-A3519DC1F49A}\ARPPRODUCTICON.exe
+ 2008-12-05 03:01:08 65,536 ----a-r c:\windows\Installer\{57922B53-02D4-4DFC-AC24-A3519DC1F49A}\NewShortcut2_FA17A726B2294116B793A2AB1A4EAE2E.exe
+ 2008-12-05 03:01:08 65,536 ----a-r c:\windows\Installer\{57922B53-02D4-4DFC-AC24-A3519DC1F49A}\NewShortcut8_B44FF44BFF374DC7AB88CA08FBC29240.exe
+ 2008-12-05 03:03:07 65,536 ----a-r c:\windows\Installer\{8FFC924C-ED06-44CB-8867-3CA778ECE903}\AppLanuchShortcut_E9787678103300008E67000000000001_1.exe
+ 2008-12-05 03:03:07 65,536 ----a-r c:\windows\Installer\{8FFC924C-ED06-44CB-8867-3CA778ECE903}\NewShortcut1_38345BD7BBBC49CAB430216AC471F461.exe
+ 2008-12-05 03:03:07 65,536 ----a-r c:\windows\Installer\{8FFC924C-ED06-44CB-8867-3CA778ECE903}\ProgramMenuShortcut_E9787678103300008E670000000001_1.exe
+ 2008-12-05 01:59:22 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-12-05 01:59:22 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-12-05 14:16:01 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-10-15 17:59:25 204,120 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-05 14:09:27 204,120 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2006-07-13 17:02:08 53,248 -c--a-w c:\windows\system32\pxhpinst.exe
+ 2008-12-05 02:55:47 53,248 -c----w c:\windows\system32\pxhpinst.exe
+ 2008-12-05 14:09:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-06-25 20480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"vidxhp"="c:\documents and settings\Cory\Application Data\Google\ggqjh22510678.exe" [2008-12-04 124416]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-06 7557120]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-22 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\Nicole\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\Cory\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2008-04-29 372224]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-06-25 450560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= "c:\program files\Trend Micro\Tmas\sshook.dll" [2006-07-13 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 19:42 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB []
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-03-15 226304]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 2\IcVzMon.exe [2006-07-13 32768]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\DRIVERS\CamDrL20.sys [2008-06-25 245760]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2006-03-15 29184]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB []
S4 Sflopsvopst;Sflopsvopst; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{489fa68e-b00d-11dd-86fd-001302511d56}]
\Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53e0e772-128c-11db-b7f9-806d6172696f}]
\shell\AutoRun\command - i:\sony\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Cory\Application Data\Mozilla\Firefox\Profiles\mep3jgu9.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 10:20:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2008-12-05 10:21:38
ComboFix-quarantined-files.txt 2008-12-05 16:21:11
ComboFix2.txt 2008-12-05 16:15:50
ComboFix3.txt 2008-12-05 01:48:51

Pre-Run: 70,648,074,240 bytes free
Post-Run: 70,634,913,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

199 --- E O F --- 2008-11-12 14:14:27

12-05-2008, 09:24 AM	#7 (permalink)
ander02 Registered User Join Date: Dec 2008 Posts: 9 OS: XP	Re: Sinowal Trojan The thank you definitely goes your way, not mine! I'll stick around until you give me the all clear. Here's the log. ComboFix 08-12-04.04 - Cory 2008-12-05 10:18:39.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.236 [GMT -6:00] Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-05 08:16 . 2008-12-05 08:16 250 --a------ c:\windows\gmer.ini 2008-12-04 19:59 . 2008-12-04 19:59 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-04 19:59 . 2008-12-04 19:59 <DIR> d-------- c:\documents and settings\Cory\Application Data\SUPERAntiSpyware.com 2008-12-04 19:59 . 2008-12-04 19:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-04 19:58 . 2008-12-04 19:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-04 19:26 . 2008-12-04 19:27 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-12-04 19:23 . 2008-12-04 19:24 <DIR> d-------- c:\windows\ERUNT 2008-12-04 19:19 . 2008-12-04 19:38 <DIR> d-------- C:\SDFix 2008-12-04 18:59 . 2008-12-04 18:59 65,536 --a------ c:\windows\system32\drivers\TDSSljecmylt.sys 2008-12-04 18:59 . 2008-12-04 18:59 32,256 --a------ c:\windows\system32\TDSSvuctaorg.dll 2008-11-11 19:44 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-11 19:42 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-11 10:24 . 2008-04-13 13:40 43,904 --a------ c:\windows\system32\drivers\sbp2port.sys 2008-11-11 10:24 . 2008-04-13 13:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 01:18 --------- d-----w c:\program files\Trend Micro 2008-11-06 22:15 --------- d-----w c:\program files\Mozilla Thunderbird 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-05 20:56 --------- d--h--w c:\documents and settings\Cory\Application Data\Move Networks 2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-01-29 22:23 628 -c--a-w c:\documents and settings\Nicole\Application Data\wklnhst.dat 2007-04-05 02:28 56,912 -c--a-w c:\documents and settings\Cory\g2mdlhlpx.exe . ((((((((((((((((((((((((((((( snapshot@2008-12-04_19.47.39.26 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-05 14:16:01 884,736 ----a-w c:\windows\gmer.dll + 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe + 2008-12-05 03:01:08 65,536 ----a-r c:\windows\Installer\{57922B53-02D4-4DFC-AC24-A3519DC1F49A}\ARPPRODUCTICON.exe + 2008-12-05 03:01:08 65,536 ----a-r c:\windows\Installer\{57922B53-02D4-4DFC-AC24-A3519DC1F49A}\NewShortcut2_FA17A726B2294116B793A2AB1A4EAE2E.exe + 2008-12-05 03:01:08 65,536 ----a-r c:\windows\Installer\{57922B53-02D4-4DFC-AC24-A3519DC1F49A}\NewShortcut8_B44FF44BFF374DC7AB88CA08FBC29240.exe + 2008-12-05 03:03:07 65,536 ----a-r c:\windows\Installer\{8FFC924C-ED06-44CB-8867-3CA778ECE903}\AppLanuchShortcut_E9787678103300008E67000000000001_1.exe + 2008-12-05 03:03:07 65,536 ----a-r c:\windows\Installer\{8FFC924C-ED06-44CB-8867-3CA778ECE903}\NewShortcut1_38345BD7BBBC49CAB430216AC471F461.exe + 2008-12-05 03:03:07 65,536 ----a-r c:\windows\Installer\{8FFC924C-ED06-44CB-8867-3CA778ECE903}\ProgramMenuShortcut_E9787678103300008E670000000001_1.exe + 2008-12-05 01:59:22 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2008-12-05 01:59:22 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe + 2008-12-05 14:16:01 85,969 ----a-w c:\windows\system32\drivers\gmer.sys - 2008-10-15 17:59:25 204,120 ----a-w c:\windows\system32\FNTCACHE.DAT + 2008-12-05 14:09:27 204,120 ----a-w c:\windows\system32\FNTCACHE.DAT - 2006-07-13 17:02:08 53,248 -c--a-w c:\windows\system32\pxhpinst.exe + 2008-12-05 02:55:47 53,248 -c----w c:\windows\system32\pxhpinst.exe + 2008-12-05 14:09:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-06-25 20480] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "vidxhp"="c:\documents and settings\Cory\Application Data\Google\ggqjh22510678.exe" [2008-12-04 124416] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768] "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-06 7557120] "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128] "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-22 185896] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\Nicole\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\Cory\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2008-04-29 372224] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-06-25 450560] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= "c:\program files\Trend Micro\Tmas\sshook.dll" [2006-07-13 77824] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2005-05-20 19:42 73728 c:\windows\system32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll "msacm.enc"= ITIG726.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundTimestampRequest"= 0 (0x0) "AllowInboundMaskRequest"= 0 (0x0) "AllowInboundRouterRequest"= 0 (0x0) "AllowOutboundDestinationUnreachable"= 0 (0x0) "AllowOutboundSourceQuench"= 0 (0x0) "AllowOutboundParameterProblem"= 0 (0x0) "AllowOutboundTimeExceeded"= 0 (0x0) "AllowRedirect"= 0 (0x0) "AllowOutboundPacketTooBig"= 0 (0x0) R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-03-15 226304] S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 2\IcVzMon.exe [2006-07-13 32768] S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\DRIVERS\CamDrL20.sys [2008-06-25 245760] S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2006-03-15 29184] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [] S4 Sflopsvopst;Sflopsvopst; [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\Setup.exe -auto [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{489fa68e-b00d-11dd-86fd-001302511d56}] \Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53e0e772-128c-11db-b7f9-806d6172696f}] \shell\AutoRun\command - i:\sony\Autorun.exe Newly Created Service - CATCHME Newly Created Service - GMER . Contents of the 'Scheduled Tasks' folder 2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.sony.com/vaiopeople uInternet Settings,ProxyOverride = localhost IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FireFox -: Profile - c:\documents and settings\Cory\Application Data\Mozilla\Firefox\Profiles\mep3jgu9.default\ FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-05 10:20:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(832) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\VESWinlogon.dll . Completion time: 2008-12-05 10:21:38 ComboFix-quarantined-files.txt 2008-12-05 16:21:11 ComboFix2.txt 2008-12-05 16:15:50 ComboFix3.txt 2008-12-05 01:48:51 Pre-Run: 70,648,074,240 bytes free Post-Run: 70,634,913,792 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 199 --- E O F --- 2008-11-12 14:14:27