ComboFix 09-03-19.02 - Irene Cheung 2009-03-22 0:47:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.192 [GMT 0:00]
Running from: c:\documents and settings\Irene Cheung\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*
FW: Kaspersky Internet Security *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.
2009-03-21 21:21 . 2009-03-22 00:00
d-------- c:\windows\SxsCaPendDel
2009-03-21 20:14 . 2009-03-21 20:14 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-21 20:14 . 2009-03-21 20:14 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-21 18:13 . 2009-03-21 18:25 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-21 18:13 . 2009-03-21 18:25 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-21 18:11 . 2009-03-21 18:11 d-------- c:\program files\Kaspersky Lab
2009-03-21 18:11 . 2009-03-22 00:53 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-21 18:11 . 2009-03-22 00:51 2,698,784 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-21 18:11 . 2009-03-22 00:51 434,208 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-21 18:11 . 2009-03-22 00:51 23,212 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-21 18:11 . 2009-03-22 00:51 2,564 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-16 07:09 . 2009-03-16 07:09 28,256 --a------ c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 07:06 . 2009-03-16 07:06 d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-03-16 07:04 . 2006-04-04 19:00 d-------- c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-03-16 07:04 . 2009-03-16 07:04 d-------- c:\documents and settings\Administrator
2009-03-16 06:52 . 2009-03-16 07:12 d-------- C:\SDFix
2009-03-03 09:59 . 2009-03-03 09:59 d-------- c:\windows\system32\scripting
2009-03-03 09:59 . 2009-03-03 09:59 d-------- c:\windows\system32\en
2009-03-03 09:59 . 2009-03-03 09:59 d-------- c:\windows\system32\bits
2009-03-03 09:59 . 2009-03-03 09:59 d-------- c:\windows\l2schemas
2009-03-03 09:52 . 2009-03-03 10:00 d-------- c:\windows\ServicePackFiles
2009-03-03 09:46 . 2009-03-12 08:29 1,374 --a------ c:\windows\imsins.BAK
2009-03-03 09:38 . 2009-03-03 09:38 d-------- c:\windows\EHome
2009-03-02 02:49 . 2009-03-02 01:57 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-02 02:06 . 2009-03-02 02:06 d-------- c:\documents and settings\LocalService\Application Data\Share-to-Web Upload Folder
2009-03-02 01:58 . 2009-03-02 01:57 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-02 01:40 . 2009-03-02 01:40 d-------- c:\program files\Lavasoft
2009-03-02 01:40 . 2009-03-02 01:57 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-02 01:40 . 2009-03-02 01:40 d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-01 21:40 . 2009-03-01 21:40 d-------- c:\program files\Trend Micro
2009-02-28 23:30 . 2009-03-21 17:33 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-28 21:29 . 2009-02-28 21:29 d-------- c:\program files\MSXML 6.0
2009-02-28 16:25 . 2008-04-14 00:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2009-02-28 16:24 . 2008-04-14 00:12 1,737,856 --------- c:\windows\system32\mtxparhd.dll
2009-02-28 16:23 . 2008-04-14 00:11 397,312 --------- c:\windows\system32\mmcex.dll
2009-02-28 16:23 . 2008-04-14 00:11 184,320 --------- c:\windows\system32\microsoft.managementconsole.dll
2009-02-28 16:23 . 2008-04-14 00:11 106,496 --------- c:\windows\system32\mmcfxcommon.dll
2009-02-28 16:23 . 2008-04-14 00:11 37,376 --------- c:\windows\system32\l2gpstore.dll
2009-02-28 16:23 . 2008-04-14 00:12 33,792 --------- c:\windows\system32\mmcperf.exe
2009-02-28 16:21 . 2008-04-14 00:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2009-02-28 11:54 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-28 11:54 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-28 11:54 . 2009-02-09 11:13 1,846,784 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-28 11:53 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-28 11:53 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-28 11:53 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-28 11:53 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-02-28 11:50 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-02-28 10:22 . 2009-02-28 23:48 81,984 --a------ c:\windows\system32\bdod.bin
2009-02-28 10:15 . 2009-02-28 10:15 850 --a------ c:\windows\system32\ProductTweaks.xml
2009-02-28 10:15 . 2009-02-28 22:13 385 --a------ c:\windows\system32\user_gensett.xml
2009-02-28 00:08 . 2009-02-28 00:08 d-------- c:\program files\BitDefender
2009-02-28 00:08 . 2009-02-28 09:34 d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-02-27 23:57 . 2009-02-28 23:49 d-------- c:\program files\Common Files\BitDefender
2009-02-27 16:41 . 2009-02-28 23:58 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-24 00:07 . 2008-04-14 00:12 23,040 --a------ c:\windows\system32\setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 23:54 --------- d-----w c:\program files\Java
2009-03-21 22:38 --------- d-----w c:\program files\Common Files\Real
2009-03-21 20:42 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-21 17:24 --------- d-----w c:\program files\IEHistoryX
2009-03-16 06:46 28,256 -c--a-w c:\documents and settings\Irene Cheung\Application Data\GDIPFONTCACHEV1.DAT
2009-03-10 21:39 --------- d-----w c:\program files\MSN Messenger
2009-03-01 21:13 --------- d-----w c:\program files\QuickTime
2009-03-01 00:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-28 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-28 12:20 --------- d-----w c:\program files\KMPlayer
2009-02-16 17:22 --------- d-----w c:\documents and settings\Irene Cheung\Application Data\TeamViewer
2009-02-16 16:33 --------- d-----w c:\program files\Google
2009-02-10 12:36 --------- d-----w c:\program files\AVG
2009-01-29 14:06 --------- d-----w c:\program files\Free PDF to Word Doc Converter
2009-01-28 00:40 --------- d-----w c:\documents and settings\Irene Cheung\Application Data\585Soft
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-11 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-02 509784]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-03-21 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 148888]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 c:\windows\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--------- 2003-11-07 08:21 114688 c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--a------ 2005-04-29 05:56 45056 c:\program files\Realtek\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-06-26 17:50 212992 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--------- 2006-12-10 20:52 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--------- 2005-08-05 01:57 94208 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 12:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 12:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-11 18:42 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 09:43 69632 c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--------- 2002-03-14 16:46 45056 c:\windows\system32\ico.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\HP Share-to-Web\\hpgs2wnf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Irene Cheung\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-02 64160]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-02 01:57]
2009-03-21 c:\windows\Tasks\User_Feed_Synchronization-{30AF291F-8AC6-4C99-808A-F6C70BD4CFF8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-DXDllRegExe - dxdllreg.exe
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://uk.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 00:53:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-22 0:58:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 00:58:16
Pre-Run: 16,610,598,912 bytes free
Post-Run: 17,081,982,976 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
231 --- E O F --- 2009-03-14 09:16:59