Tech Support Forum - View Single Post - Pop ups on I.E. Backdoor Trojan, help please deckards included

summit15 · 08-05-2008, 07:07 AM

Hi,

I went through and followed your instructions exactly. I will paste the combofix log and highjackthis log below.

Thanks again for your help, I look forward to the articles on computer protection. I think I will be using Karpesky after this.

ComboFix 08-08-03.05 - Scott 2008-08-05 8:40:11.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.401 [GMT -4:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\CFscript (3).txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 08:04 . 2008-08-05 08:04 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-04 17:07 . 2008-08-04 17:07 <DIR> d-------- C:\WINDOWS\Sun
2008-08-04 17:06 . 2008-08-04 17:06 <DIR> d-------- C:\Program Files\Java
2008-08-04 17:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-08-04 17:05 . 2008-08-04 17:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-04 13:33 . 2008-08-04 13:33 <DIR> d--hs---- C:\FOUND.029
2008-08-04 11:25 . 2008-08-04 11:26 578,560 --a------ C:\WINDOWS\SYSTEM32\dllcache\user32.dll
2008-08-04 11:18 . 2008-08-04 11:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-04 11:12 . 2008-08-04 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-04 10:50 . 2008-08-03 04:12 <DIR> d-------- C:\SDFix
2008-07-31 17:01 . 2008-07-31 17:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-31 16:57 . 2008-07-31 16:57 <DIR> d-------- C:\Deckard
2008-07-31 14:13 . 2008-07-31 14:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-31 14:12 . 2008-07-31 14:13 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe
2008-07-31 09:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-31 09:23 . 2008-07-31 09:23 <DIR> d-------- C:\Program Files\Panda Security
2008-07-30 22:47 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-07-30 22:47 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-07-30 22:47 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-07-30 22:47 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\PC Tools
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-29 16:11 . 2008-07-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-29 16:00 . 2008-07-29 16:00 <DIR> d-------- C:\WINDOWS\EHome
2008-07-29 15:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml6.dll
2008-07-29 15:55 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-07-29 15:55 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-29 15:55 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-07-29 15:55 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-07-29 15:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-07-29 15:55 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-07-29 15:55 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-07-29 15:53 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-07-29 15:52 . 2004-08-03 22:41 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2008-07-29 15:11 . 2008-07-29 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-07-29 15:08 . 2008-07-29 15:08 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Citrix
2008-07-29 14:57 . 2008-07-29 14:57 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\McAfee
2008-07-28 08:17 . 2008-07-28 08:17 <DIR> d-------- C:\Program Files\RegCure
2008-07-27 23:05 . 2008-07-27 23:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-27 23:05 . 2008-08-05 08:02 4,527 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-27 23:04 . 2006-03-03 08:07 143,360 --------- C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-07-27 23:02 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-07-27 23:02 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-07-27 23:02 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-07-27 23:02 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-07-27 23:02 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-27 23:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-07-27 22:54 . 2008-07-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 20:39 . 2008-07-24 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-24 19:27 . 2008-07-24 19:27 860,840 --a------ C:\Program Files\Support-LogMeInRescue.exe
2008-07-24 19:11 . 2008-07-24 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\N360_BACKUP
2008-07-20 13:00 . 2008-07-20 13:00 <DIR> d--hs---- C:\FOUND.028
2008-07-18 10:00 . 2008-07-18 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-18 09:28 . 2008-07-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-07-16 09:24 . 2008-07-16 09:24 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search
2008-07-16 09:23 . 2008-07-16 09:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-07-16 08:55 . 2008-07-16 08:55 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-16 08:54 . 2008-07-16 08:54 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-16 08:50 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help
2008-07-16 08:49 . 2008-07-16 08:49 <DIR> dr-h----- C:\MSOCache
2008-07-16 08:49 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 08:24 . 2008-07-16 08:24 214,297,118 --a------ C:\Program Files\Outlook_2007_EN.zip
2008-07-09 03:00 . 2008-07-09 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Roxio
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-08 20:25 . 2008-07-08 20:25 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop
2008-07-08 20:20 . 2008-07-08 20:20 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion
2008-07-08 20:20 . 2008-07-21 17:34 256 --a------ C:\WINDOWS\SYSTEM32\pool.bin
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-08 19:54 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Common Files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 20:40 48,248 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
2008-07-29 19:08 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe
2008-07-16 22:32 10,946,560 ----a-w C:\Program Files\XPSEP XP and Server 2003 64 bit.msi
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-02-27 01:55 5,910,715 ----a-w C:\Program Files\Audit_Support_Center.exe
2007-08-05 17:09 18,568,192 ----a-w C:\Program Files\yie7setup_tb7_news.exe
2007-07-06 16:18 138,197 ----a-w C:\Program Files\ConfirmationLetter.pdf
2007-02-27 21:27 22,976,688 ----a-w C:\Program Files\stamps.exe
2006-04-08 16:32 1,515,898 ----a-w C:\Program Files\LOM.exe
2005-04-03 16:27 271 --sh--w C:\Program Files\desktop.ini
2005-04-03 16:27 23,357 ---h--w C:\Program Files\folder.htt
2003-08-20 22:40 289 ----a-w C:\Program Files\readme.html
2003-07-30 19:06 8,944 ----a-w C:\Program Files\Oj71WinXP.cat
2003-07-30 19:06 36,926 ----a-w C:\Program Files\oj71inst.cat
2003-06-25 06:43 16,384 ----a-w C:\Program Files\hpo9xmig.exe
2003-06-25 04:41 9,078 ----a-w C:\Program Files\Oj71WinXP.inf
2002-09-09 19:11 6,130 ----a-w C:\Program Files\Oj71Inst.inf
2001-02-17 08:12 22,048 ----a-w C:\Program Files\cocpyinf.dll
2004-08-04 16:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-08-04_16.56.03.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-03 12:07:02 143,360 ----a-w C:\WINDOWS\LastGood\system32\dunzip32.dll
+ 2008-04-14 00:12:04 23,040 ----a-w C:\WINDOWS\LastGood\system32\psapi.dll
- 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-13 22:39:10 13,312 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-06-10 05:21:02 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-04-21 08:40:28 256000]
PowerReg Scheduler V3.exe [2005-07-21 07:20:00 225280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
--a------ 2007-11-30 05:42 1164576 C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
--a------ 2007-08-24 17:57 36640 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--------- 2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S0 Winms30;Winms30;C:\WINDOWS\system32\Drivers\Winms30.sys []
S2 0246901217938120mcinstcleanup;McAfee Application Installer Cleanup (0246901217938120);C:\WINDOWS\TEMP\024690~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-28 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-05 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 08:43:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-08-05 8:44:46
ComboFix-quarantined-files.txt 2008-08-05 12:44:34
ComboFix3.txt 2008-08-04 16:45:40
ComboFix2.txt 2008-08-04 20:57:08

Pre-Run: 15,782,903,808 bytes free
Post-Run: 15,885,516,800 bytes free

294 --- E O F --- 2008-08-05 12:05:56

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:16 AM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186328631921
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: McAfee Application Installer Cleanup (0246901217938120) (0246901217938120mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024690~1.EXE (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 9072 bytes

08-05-2008, 07:07 AM	#8 (permalink)
summit15 Registered User Join Date: Jul 2008 Posts: 7 OS: Windows XP home	Re: Pop ups on I.E. Backdoor Trojan, help please deckards included Hi, I went through and followed your instructions exactly. I will paste the combofix log and highjackthis log below. Thanks again for your help, I look forward to the articles on computer protection. I think I will be using Karpesky after this. ComboFix 08-08-03.05 - Scott 2008-08-05 8:40:11.3 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.401 [GMT -4:00] Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Scott\Desktop\CFscript (3).txt * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 ))))))))))))))))))))))))))))))) . 2008-08-05 08:04 . 2008-08-05 08:04 <DIR> d-------- C:\WINDOWS\LastGood 2008-08-04 17:07 . 2008-08-04 17:07 <DIR> d-------- C:\WINDOWS\Sun 2008-08-04 17:06 . 2008-08-04 17:06 <DIR> d-------- C:\Program Files\Java 2008-08-04 17:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-08-04 17:05 . 2008-08-04 17:05 <DIR> d-------- C:\Program Files\Common Files\Java 2008-08-04 13:33 . 2008-08-04 13:33 <DIR> d--hs---- C:\FOUND.029 2008-08-04 11:25 . 2008-08-04 11:26 578,560 --a------ C:\WINDOWS\SYSTEM32\dllcache\user32.dll 2008-08-04 11:18 . 2008-08-04 11:18 <DIR> d-------- C:\WINDOWS\ERUNT 2008-08-04 11:12 . 2008-08-04 11:12 <DIR> d-------- C:\Documents and Settings\Administrator 2008-08-04 10:50 . 2008-08-03 04:12 <DIR> d-------- C:\SDFix 2008-07-31 17:01 . 2008-07-31 17:01 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-31 16:57 . 2008-07-31 16:57 <DIR> d-------- C:\Deckard 2008-07-31 14:13 . 2008-07-31 14:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-07-31 14:12 . 2008-07-31 14:13 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe 2008-07-31 09:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-07-31 09:23 . 2008-07-31 09:23 <DIR> d-------- C:\Program Files\Panda Security 2008-07-30 22:47 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys 2008-07-30 22:47 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys 2008-07-30 22:47 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys 2008-07-30 22:47 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys 2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\PC Tools 2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\en 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\l2schemas 2008-07-29 16:11 . 2008-07-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-07-29 16:00 . 2008-07-29 16:00 <DIR> d-------- C:\WINDOWS\EHome 2008-07-29 15:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml6.dll 2008-07-29 15:55 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll 2008-07-29 15:55 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll 2008-07-29 15:55 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll 2008-07-29 15:55 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll 2008-07-29 15:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll 2008-07-29 15:55 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll 2008-07-29 15:55 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll 2008-07-29 15:53 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll 2008-07-29 15:52 . 2004-08-03 22:41 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys 2008-07-29 15:11 . 2008-07-29 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix 2008-07-29 15:08 . 2008-07-29 15:08 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Citrix 2008-07-29 14:57 . 2008-07-29 14:57 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\McAfee 2008-07-28 08:17 . 2008-07-28 08:17 <DIR> d-------- C:\Program Files\RegCure 2008-07-27 23:05 . 2008-07-27 23:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-07-27 23:05 . 2008-08-05 08:02 4,527 --a------ C:\WINDOWS\SYSTEM32\Config.MPF 2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Program Files\SiteAdvisor 2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor 2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-07-27 23:04 . 2006-03-03 08:07 143,360 --------- C:\WINDOWS\SYSTEM32\dunzip32.dll 2008-07-27 23:02 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys 2008-07-27 23:02 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys 2008-07-27 23:02 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys 2008-07-27 23:02 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys 2008-07-27 23:02 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys 2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee.com 2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee 2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\Common Files\McAfee 2008-07-27 23:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys 2008-07-27 22:54 . 2008-07-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-07-24 20:39 . 2008-07-24 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-07-24 19:27 . 2008-07-24 19:27 860,840 --a------ C:\Program Files\Support-LogMeInRescue.exe 2008-07-24 19:11 . 2008-07-24 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\N360_BACKUP 2008-07-20 13:00 . 2008-07-20 13:00 <DIR> d--hs---- C:\FOUND.028 2008-07-18 10:00 . 2008-07-18 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2008-07-18 09:28 . 2008-07-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-07-16 09:24 . 2008-07-16 09:24 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search 2008-07-16 09:23 . 2008-07-16 09:23 <DIR> d-------- C:\Program Files\Windows Desktop Search 2008-07-16 08:55 . 2008-07-16 08:55 <DIR> d-------- C:\Program Files\Microsoft Works 2008-07-16 08:54 . 2008-07-16 08:54 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-07-16 08:50 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help 2008-07-16 08:49 . 2008-07-16 08:49 <DIR> dr-h----- C:\MSOCache 2008-07-16 08:49 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-07-16 08:24 . 2008-07-16 08:24 214,297,118 --a------ C:\Program Files\Outlook_2007_EN.zip 2008-07-09 03:00 . 2008-07-09 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Roxio 2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio 2008-07-08 20:25 . 2008-07-08 20:25 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop 2008-07-08 20:20 . 2008-07-08 20:20 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion 2008-07-08 20:20 . 2008-07-21 17:34 256 --a------ C:\WINDOWS\SYSTEM32\pool.bin 2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic 2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield 2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared 2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared 2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio 2008-07-08 19:54 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys 2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Research In Motion 2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Common Files\Research In Motion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-29 20:40 48,248 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT 2008-07-29 19:08 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe 2008-07-16 22:32 10,946,560 ----a-w C:\Program Files\XPSEP XP and Server 2003 64 bit.msi 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys 2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\wshext.dll 2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll 2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll 2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll 2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll 2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\scrobj.dll 2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll 2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\scrrun.dll 2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll 2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys 2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\wscript.exe 2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe 2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe 2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\cscript.exe 2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\quartz.dll 2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll 2008-02-27 01:55 5,910,715 ----a-w C:\Program Files\Audit_Support_Center.exe 2007-08-05 17:09 18,568,192 ----a-w C:\Program Files\yie7setup_tb7_news.exe 2007-07-06 16:18 138,197 ----a-w C:\Program Files\ConfirmationLetter.pdf 2007-02-27 21:27 22,976,688 ----a-w C:\Program Files\stamps.exe 2006-04-08 16:32 1,515,898 ----a-w C:\Program Files\LOM.exe 2005-04-03 16:27 271 --sh--w C:\Program Files\desktop.ini 2005-04-03 16:27 23,357 ---h--w C:\Program Files\folder.htt 2003-08-20 22:40 289 ----a-w C:\Program Files\readme.html 2003-07-30 19:06 8,944 ----a-w C:\Program Files\Oj71WinXP.cat 2003-07-30 19:06 36,926 ----a-w C:\Program Files\oj71inst.cat 2003-06-25 06:43 16,384 ----a-w C:\Program Files\hpo9xmig.exe 2003-06-25 04:41 9,078 ----a-w C:\Program Files\Oj71WinXP.inf 2002-09-09 19:11 6,130 ----a-w C:\Program Files\Oj71Inst.inf 2001-02-17 08:12 22,048 ----a-w C:\Program Files\cocpyinf.dll 2004-08-04 16:00 94,784 --sh--w C:\WINDOWS\twain.dll 2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll . ((((((((((((((((((((((((((((( snapshot_2008-08-04_16.56.03.98 ))))))))))))))))))))))))))))))))))))))))) . + 2006-03-03 12:07:02 143,360 ----a-w C:\WINDOWS\LastGood\system32\dunzip32.dll + 2008-04-14 00:12:04 23,040 ----a-w C:\WINDOWS\LastGood\system32\psapi.dll - 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat + 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat - 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2007-08-13 22:39:10 13,312 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe + 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe + 2008-06-10 05:21:02 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe + 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe + 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] C:\Documents and Settings\Scott\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2005-04-21 08:40:28 256000] PowerReg Scheduler V3.exe [2005-07-21 07:20:00 225280] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv41"= ir41_32.dll "aux"= ctwdm32.dll "VIDC.VDOM"= vdowave.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] NvQTwk [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 20:12 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] --a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI] --a------ 2007-11-30 05:42 1164576 C:\PROGRA~1\McAfee\MHN\McENUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor] --a------ 2007-08-24 17:57 36640 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray] --------- 2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\Messenger\\MSMSGS.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] S0 Winms30;Winms30;C:\WINDOWS\system32\Drivers\Winms30.sys [] S2 0246901217938120mcinstcleanup;McAfee Application Installer Cleanup (0246901217938120);C:\WINDOWS\TEMP\024690~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [] S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-07-28 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-07-28 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-07-31 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21] 2008-08-05 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-05 08:43:26 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . Completion time: 2008-08-05 8:44:46 ComboFix-quarantined-files.txt 2008-08-05 12:44:34 ComboFix3.txt 2008-08-04 16:45:40 ComboFix2.txt 2008-08-04 20:57:08 Pre-Run: 15,782,903,808 bytes free Post-Run: 15,885,516,800 bytes free 294 --- E O F --- 2008-08-05 12:05:56 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:59:16 AM, on 8/5/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\mcafee\msc\mcupdui.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: PowerReg Scheduler.exe O4 - Startup: PowerReg Scheduler V3.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186328631921 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 O23 - Service: McAfee Application Installer Cleanup (0246901217938120) (0246901217938120mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024690~1.EXE (file missing) O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe -- End of file - 9072 bytes