R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081204.003\IDSvix86.sys [2008-12-08 270384]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R2 MSSQL$ALAMODE;SQL Server (ALAMODE);"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sALAMODE [2008-02-26 29183504]
R2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sVAIO_VEDB [2008-02-26 29183504]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-08 99376]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-05-29 73472]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-05-29 43904]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2007-05-29 31104]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-05-29 807424]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\DRIVERS\acgprs.sys [2007-08-10 103808]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\Image Converter 3\ICScsiSV.exe [2007-06-05 75952]
S3 IcVzMonLauncher;IcVzMonLauncher;"c:\program files\Sony\Image Converter 3\IcVzMonLauncher.exe" [2007-06-05 67760]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 3\IcVzMon.exe [2007-06-05 43184]
S3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2007-08-10 43904]
S3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\system32\drivers\slim.sys [2007-05-29 699520]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-06-05 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-05 1089536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ed6f704-c565-11dd-85ac-0013a9e32462}]
\shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2008-12-09 c:\windows\Tasks\User_Feed_Synchronization-{CC15BC24-F625-40F5-9F07-24B9C7A84782}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hatcherappraisal.com/Intro.aspx
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 3 - c:\program files\Sony\Image Converter 3\menu.htm
Trusted Zone: *.alamode.com
Trusted Zone: *.almsr.com
Trusted Zone: *.appraiserxsites.com
Trusted Zone: *.certmail.com
Trusted Zone: *.interflood.com
Trusted Zone: *.mappoint.net
Trusted Zone: *.xsitesnetwork.com
c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Great%20Secrets%20-%20Da%20Vinci/Images/stg_drm.ocx
c:\windows\System32\msvcr80.dll - c:\windows\Downloaded Program Files\MLSClientUtils.dll
O16 -: {6FD482A3-7B57-438B-B040-52CAA30147EE}
hxxp://cbrmls.columbusrealtors.com/4.3.04.58/Control/MLSClientUtils.cab
c:\windows\Downloaded Program Files\MLSClientUtilsCab.inf
c:\windows\System32\msvcr71.dll - c:\windows\System32\MFC71.dll
c:\windows\System32\missouri.dll
c:\windows\System32\GeacView.dll
c:\windows\Downloaded Program Files\GeacRevw.ocx
O16 -: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E}
hxxp://cbrmls.columbusrealtors.com/4.3.07.83/Control/IRCSharc.cab
c:\windows\Downloaded Program Files\IRCSharcCab.inf
c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/armhelper.ocx
c:\windows\Downloaded Program Files\alaWeb5.dll - O16 -: {CD27EEF6-55B8-4F24-99C5-E1191D814445}
file:///C:/a%20la%20mode/WinTOTAL/Content/cabs/alaWeb5.CAB
c:\windows\Downloaded Program Files\alaWeb5.INF
FireFox -: Profile - c:\users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\fo9rxexf.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.hatcherappraisal.com/Intro.aspx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 09:50:22
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-09 9:53:10
ComboFix-quarantined-files.txt 2008-12-09 14:52:10
ComboFix2.txt 2008-12-09 14:38:29
ComboFix3.txt 2008-12-09 01:38:52
Pre-Run: 100,180,107,264 bytes free
Post-Run: 100,136,026,112 bytes free
371 --- E O F --- 2008-11-29 04:29:40
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R2 MSSQL$ALAMODE;SQL Server (ALAMODE);"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sALAMODE [2008-02-26 29183504]
R2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sVAIO_VEDB [2008-02-26 29183504]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-08 99376]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-05-29 73472]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-05-29 43904]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2007-05-29 31104]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-05-29 807424]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\DRIVERS\acgprs.sys [2007-08-10 103808]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\Image Converter 3\ICScsiSV.exe [2007-06-05 75952]
S3 IcVzMonLauncher;IcVzMonLauncher;"c:\program files\Sony\Image Converter 3\IcVzMonLauncher.exe" [2007-06-05 67760]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 3\IcVzMon.exe [2007-06-05 43184]
S3 scrswi;Sierra Wireless Smart Card Reader;c:\windows\system32\DRIVERS\scrswi.sys [2007-08-10 43904]
S3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\system32\drivers\slim.sys [2007-05-29 699520]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-06-05 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-05 1089536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ed6f704-c565-11dd-85ac-0013a9e32462}]
\shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2008-12-09 c:\windows\Tasks\User_Feed_Synchronization-{CC15BC24-F625-40F5-9F07-24B9C7A84782}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hatcherappraisal.com/Intro.aspx
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 3 - c:\program files\Sony\Image Converter 3\menu.htm
Trusted Zone: *.alamode.com
Trusted Zone: *.almsr.com
Trusted Zone: *.appraiserxsites.com
Trusted Zone: *.certmail.com
Trusted Zone: *.interflood.com
Trusted Zone: *.mappoint.net
Trusted Zone: *.xsitesnetwork.com
c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Great%20Secrets%20-%20Da%20Vinci/Images/stg_drm.ocx
c:\windows\System32\msvcr80.dll - c:\windows\Downloaded Program Files\MLSClientUtils.dll
O16 -: {6FD482A3-7B57-438B-B040-52CAA30147EE}
hxxp://cbrmls.columbusrealtors.com/4.3.04.58/Control/MLSClientUtils.cab
c:\windows\Downloaded Program Files\MLSClientUtilsCab.inf
c:\windows\System32\msvcr71.dll - c:\windows\System32\MFC71.dll
c:\windows\System32\missouri.dll
c:\windows\System32\GeacView.dll
c:\windows\Downloaded Program Files\GeacRevw.ocx
O16 -: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E}
hxxp://cbrmls.columbusrealtors.com/4.3.07.83/Control/IRCSharc.cab
c:\windows\Downloaded Program Files\IRCSharcCab.inf
c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/armhelper.ocx
c:\windows\Downloaded Program Files\alaWeb5.dll - O16 -: {CD27EEF6-55B8-4F24-99C5-E1191D814445}
file:///C:/a%20la%20mode/WinTOTAL/Content/cabs/alaWeb5.CAB
c:\windows\Downloaded Program Files\alaWeb5.INF
FireFox -: Profile - c:\users\Geoff\AppData\Roaming\Mozilla\Firefox\Profiles\fo9rxexf.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.hatcherappraisal.com/Intro.aspx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 09:50:22
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-09 9:53:10
ComboFix-quarantined-files.txt 2008-12-09 14:52:10
ComboFix2.txt 2008-12-09 14:38:29
ComboFix3.txt 2008-12-09 01:38:52
Pre-Run: 100,180,107,264 bytes free
Post-Run: 100,136,026,112 bytes free
371 --- E O F --- 2008-11-29 04:29:40