Thread: Pop ups on I.E. Backdoor Trojan, help please deckards included
View Single Post
Old 08-04-2008, 10:59 AM   #4 (permalink)
summit15
Registered User
 
Join Date: Jul 2008
Posts: 7
OS: Windows XP home


Re: Pop ups on I.E. Backdoor Trojan, help please deckards included
I have followed your instructions and am attaching the three logs you requested.

I still seem to have pop ups randomly. I had to log into this website 3 time to be able to post.

Please let me know what I need to do next.

I have set up instant message but it does not go into my email?



SDFix: Version 1.212
Run by Scott on Mon 08/04/2008 at 11:27 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\vtUlJcDS.dll - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\system32\qmopt.dll - Deleted
C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\nvrsul32.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 11:41:16
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"D:\\setup\\HPZnui01.exe"="D:\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 18 Dec 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Wed 4 Aug 2004 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Sun 13 Apr 2008 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Mon 25 Dec 2006 4,348 ..SH. --- "C:\WINDOWS\DRM\DRMv1.bak"
Thu 21 Dec 2000 110,080 A.SHR --- "C:\WINDOWS\COMMAND\EBD\WINBOOT.SYS"
Mon 26 Nov 2007 0 A.SH. --- "C:\WINDOWS\DRM\Cache\Indiv02.tmp"
Mon 21 Jan 2008 0 A.SH. --- "C:\WINDOWS\DRM\Cache\Indiv01.tmp"
Sun 27 Jul 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sun 27 Jul 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7779524ce1b472c62f1b0f1a192676ad\BIT9.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\97de84be36b27af6e66a0586433cda52\BIT5.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ec3943a72ea4aa7fb7b808e2b7554c8\BIT6.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb1cc7c8ed3868a5a32ffb677fe0fde8\BITA.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9664ff6405d9e0e32778ca8618d4be26\BIT7.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c909c63b4fa217757574b9dcdd658c3\BIT8.tmp"
Tue 29 Mar 2005 27,136 A..H. --- "C:\Documents and Settings\Scott\My Documents\Emerald Passport\~WRL0005.tmp"
Tue 29 Oct 2002 36,352 A..H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL3192.tmp"
Mon 21 Apr 2008 38,912 ...H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL0998.tmp"
Wed 23 Apr 2008 38,912 ...H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL2780.tmp"
Fri 25 Apr 2008 30,720 ...H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL0881.tmp"
Tue 19 Nov 2002 19,968 A..H. --- "C:\Documents and Settings\Scott\My Documents\School fund raisers\~WRL1633.tmp"
Mon 24 Mar 2003 28,160 A..H. --- "C:\Documents and Settings\Scott\My Documents\School fund raisers\~WRL1893.tmp"
Mon 10 Mar 2003 24,576 A..H. --- "C:\Documents and Settings\Scott\My Documents\Wood Floor Business\~WRL1610.tmp"
Mon 29 Jan 2007 22,016 ...H. --- "C:\Documents and Settings\Scott\My Documents\unemployment\~WRL0003.tmp"
Mon 29 Jan 2007 30,720 ...H. --- "C:\Documents and Settings\Scott\My Documents\unemployment\~WRL0264.tmp"
Mon 29 Jan 2007 23,552 ...H. --- "C:\Documents and Settings\Scott\My Documents\unemployment\~WRL2792.tmp"
Tue 22 Apr 2008 20,992 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL1696.tmp"
Wed 23 Apr 2008 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL3581.tmp"
Wed 9 Nov 2005 19,456 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 9 Nov 2005 19,456 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL2562.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL1495.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL2729.tmp"
Wed 9 Nov 2005 20,480 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL3314.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL1868.tmp"
Sun 25 Nov 2007 20 A..H. --- "C:\Documents and Settings\Scott\Application Data\Real\Rhapsody\wmlicbackup\drmv1lic.bak"
Tue 27 Dec 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

=========

ComboFix 08-08-03.05 - Scott 2008-08-04 12:31:25.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.379 [GMT -4:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\#SharedObjects\DQ5DTTC7\interclick.com
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\#SharedObjects\DQ5DTTC7\interclick.com\ud.sol
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\autorun.inf
C:\WINDOWS\cookies.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\cejxqx.dll
C:\WINDOWS\system32\drivers\Winvc30.sys
C:\WINDOWS\system32\eauwwlpr.dll
C:\WINDOWS\SYSTEM32\kbrsjlha.ini
C:\WINDOWS\system32\kbsozf.dll
C:\WINDOWS\system32\kjhvgw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfeusbxv.ini
C:\WINDOWS\system32\nmrvmikf.ini
C:\WINDOWS\system32\qoMgdcay.dll
C:\WINDOWS\system32\qvovknxx.dll
C:\WINDOWS\system32\rqRLFvuu.dll
C:\WINDOWS\system32\uaaoimxb.dll
C:\WINDOWS\SYSTEM32\uuvFLRqr.ini
C:\WINDOWS\SYSTEM32\uuvFLRqr.ini2
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\ygosgcth.ini
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV
-------\Legacy_WINVC30
-------\Service_Winvc30


((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 12:27 . 2008-08-04 12:27 99,200 --a------ C:\WINDOWS\SYSTEM32\htcgsogy.dll
2008-08-04 11:25 . 2008-08-04 11:26 578,560 --a------ C:\WINDOWS\SYSTEM32\dllcache\user32.dll
2008-08-04 11:18 . 2008-08-04 11:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-04 11:12 . 2008-08-04 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-04 10:50 . 2008-08-03 04:12 <DIR> d-------- C:\SDFix
2008-08-03 12:26 . 2008-08-03 12:26 98,688 --a------ C:\WINDOWS\SYSTEM32\ahljsrbk.dll
2008-08-03 12:25 . 2008-08-03 12:25 130,432 --a------ C:\WINDOWS\SYSTEM32\vhthho.dll
2008-08-03 12:25 . 2008-08-03 12:25 130,432 --a------ C:\WINDOWS\SYSTEM32\aefyhhdx.dll
2008-08-02 08:39 . 2008-08-02 08:39 130,432 --a------ C:\WINDOWS\SYSTEM32\xfogrels.dll
2008-08-02 08:39 . 2008-08-02 08:39 130,432 --a------ C:\WINDOWS\SYSTEM32\sqwrpw.dll
2008-07-31 17:01 . 2008-07-31 17:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-31 16:57 . 2008-07-31 16:57 <DIR> d-------- C:\Deckard
2008-07-31 14:13 . 2008-07-31 14:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-31 14:12 . 2008-07-31 14:13 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe
2008-07-31 09:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-31 09:23 . 2008-07-31 09:23 <DIR> d-------- C:\Program Files\Panda Security
2008-07-31 00:00 . 2008-07-31 00:00 99,712 --a------ C:\WINDOWS\SYSTEM32\eglntsuv.dll
2008-07-30 22:47 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-07-30 22:47 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-07-30 22:47 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-07-30 22:47 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\PC Tools
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-30 17:57 . 2008-07-30 17:57 99,712 --a------ C:\WINDOWS\SYSTEM32\phqvkjwj.dll
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-29 16:11 . 2008-07-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-29 16:00 . 2008-07-29 16:00 <DIR> d-------- C:\WINDOWS\EHome
2008-07-29 15:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml6.dll
2008-07-29 15:55 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-07-29 15:55 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-29 15:55 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-07-29 15:55 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-07-29 15:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-07-29 15:55 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-07-29 15:55 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-07-29 15:53 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-07-29 15:52 . 2004-08-03 22:41 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2008-07-29 15:11 . 2008-07-29 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-07-29 15:08 . 2008-07-29 15:08 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Citrix
2008-07-29 14:57 . 2008-07-29 14:57 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\McAfee
2008-07-28 08:17 . 2008-07-28 08:17 <DIR> d-------- C:\Program Files\RegCure
2008-07-27 23:05 . 2008-07-27 23:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-27 23:05 . 2008-08-04 12:41 12,799 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-27 23:04 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-07-27 23:02 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-07-27 23:02 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-07-27 23:02 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-07-27 23:02 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-07-27 23:02 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-27 23:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-07-27 22:54 . 2008-07-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 20:39 . 2008-07-24 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-24 19:27 . 2008-07-24 19:27 860,840 --a------ C:\Program Files\Support-LogMeInRescue.exe
2008-07-24 19:11 . 2008-07-24 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\N360_BACKUP
2008-07-20 13:00 . 2008-07-20 13:00 <DIR> d--hs---- C:\FOUND.028
2008-07-18 10:00 . 2008-07-18 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-18 09:28 . 2008-07-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-07-16 09:24 . 2008-07-16 09:24 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search
2008-07-16 09:23 . 2008-07-16 09:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-07-16 08:55 . 2008-07-16 08:55 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-16 08:54 . 2008-07-16 08:54 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-16 08:50 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help
2008-07-16 08:49 . 2008-07-16 08:49 <DIR> dr-h----- C:\MSOCache
2008-07-16 08:49 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 08:24 . 2008-07-16 08:24 214,297,118 --a------ C:\Program Files\Outlook_2007_EN.zip
2008-07-09 03:00 . 2008-07-09 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Roxio
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-08 20:25 . 2008-07-08 20:25 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop
2008-07-08 20:20 . 2008-07-08 20:20 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion
2008-07-08 20:20 . 2008-07-21 17:34 256 --a------ C:\WINDOWS\SYSTEM32\pool.bin
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-08 19:54 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Common Files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 20:40 48,248 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
2008-07-29 19:08 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe
2008-07-16 22:32 10,946,560 ----a-w C:\Program Files\XPSEP XP and Server 2003 64 bit.msi
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-02-27 01:55 5,910,715 ----a-w C:\Program Files\Audit_Support_Center.exe
2007-08-05 17:09 18,568,192 ----a-w C:\Program Files\yie7setup_tb7_news.exe
2007-07-06 16:18 138,197 ----a-w C:\Program Files\ConfirmationLetter.pdf
2007-02-27 21:27 22,976,688 ----a-w C:\Program Files\stamps.exe
2006-04-08 16:32 1,515,898 ----a-w C:\Program Files\LOM.exe
2005-04-03 16:27 271 --sh--w C:\Program Files\desktop.ini
2005-04-03 16:27 23,357 ---h--w C:\Program Files\folder.htt
2003-08-20 22:40 289 ----a-w C:\Program Files\readme.html
2003-07-30 19:06 8,944 ----a-w C:\Program Files\Oj71WinXP.cat
2003-07-30 19:06 36,926 ----a-w C:\Program Files\oj71inst.cat
2003-06-25 06:43 16,384 ----a-w C:\Program Files\hpo9xmig.exe
2003-06-25 04:41 9,078 ----a-w C:\Program Files\Oj71WinXP.inf
2002-09-09 19:11 6,130 ----a-w C:\Program Files\Oj71Inst.inf
2001-02-17 08:12 22,048 ----a-w C:\Program Files\cocpyinf.dll
2004-08-04 16:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d55dc94e-9e30-4c2c-9f38-726d1855a464}]
2008-08-03 12:25 130432 --a------ C:\WINDOWS\system32\vhthho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"375113a0"="C:\WINDOWS\system32\htcgsogy.dll" [2008-08-04 12:27 99200]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-04-21 08:40:28 256000]
PowerReg Scheduler V3.exe [2005-07-21 07:20:00 225280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL sqwrpw.dll vhthho.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
--a------ 2007-11-30 05:42 1164576 C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
--a------ 2007-08-24 17:57 36640 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--------- 2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys [2002-12-17 12:27]
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys [2005-04-03 14:35]
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2005-04-03 14:35]
R2 hpqddsvc;HP CUE DeviceDiscovery Service;C:\WINDOWS\system32\svchost.exe [2008-04-13 20:12]
R2 MCSTRM;MCSTRM;C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-11-25 20:43]
R2 Net Driver HPZ12;Net Driver HPZ12;C:\WINDOWS\System32\svchost.exe [2008-04-13 20:12]
R2 NVSvc;NVIDIA Driver Helper Service;C:\WINDOWS\system32\nvsvc32.exe [2001-11-15 16:12]
R2 SiteAdvisor Service;SiteAdvisor Service;C:\Program Files\SiteAdvisor\6261\SAService.exe [2008-07-29 08:02]
R2 WSearch;Windows Search;C:\WINDOWS\system32\SearchIndexer.exe [2007-02-05 15:34]
R3 ctljystk;Creative SBLive! Gameport;C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 12:19]
R3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver;C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS [2001-08-17 12:11]
R3 hpqcxs08;hpqcxs08;C:\WINDOWS\system32\svchost.exe [2008-04-13 20:12]
R3 HPSLPSVC;HP Network Devices Support;C:\WINDOWS\system32\svchost.exe [2008-04-13 20:12]
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys [2005-04-03 14:35]
R3 RimVSerPort;RIM Virtual Serial Port v2;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 13:53]
S0 Winms30;Winms30;C:\WINDOWS\system32\Drivers\Winms30.sys []
S3 dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 14:39]
S3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 13:47]
S3 dot4usb;Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 13:47]
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys [2005-04-03 14:35]
S3 odserv;Microsoft Office Diagnostics Service;C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 19:49]
S3 RimUsb;BlackBerry Smartphone;C:\WINDOWS\system32\Drivers\RimUsb.sys [2007-05-31 13:39]
S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 15:29]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\Drivers\wpdusb.sys [2006-10-18 20:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-28 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-04 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\SYSTEM\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 12:41:12
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\htcgsogy.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\MCAFEE\MPF\MPFSRV.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-04 12:45:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-04 16:45:16

Pre-Run: 16,506,191,872 bytes free
Post-Run: 16,501,080,064 bytes free

373 --- E O F --- 2008-07-30 14:17:32

==========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:15 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {464a5581-d627-83f9-c2c4-03e9e49cd55d} - {d55dc94e-9e30-4c2c-9f38-726d1855a464} - C:\WINDOWS\system32\vhthho.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [375113a0] rundll32.exe "C:\WINDOWS\system32\htcgsogy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186328631921
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - AppInit_DLLs: NVDESK32.DLL sqwrpw.dll vhthho.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8477 bytes
Attached Files
File Type: txt report.txt (9.6 KB, 1 views)
File Type: txt combofix log.txt (26.1 KB, 1 views)
File Type: txt hijackthis 1.txt (8.3 KB, 1 views)
Last edited by TheBruce1; 08-04-2008 at 01:02 PM.
summit15 is offline