[SOLVED] Antivirus XP 2008 hijacked

[lihp67]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:29 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\pphclquj0e91e.exe
C:\Program Files\Zabaware\HalReader\HalReader.exe
C:\Program Files\Mitel Networks\Your Assistant 4.1\Assemblies\YA.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mitel Networks\Your Assistant 4.1\Bin\wave.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Run RunOnce] D:\RunOnce.exe C:\UPS\UOWS\ShipUPS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows iMessenger Messenger] winimsg.exe
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\RunServices: [Windows iMessenger Messenger] winimsg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [Windows iMessenger Messenger] winimsg.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Your Assistant 4.1.lnk = C:\Program Files\Mitel Networks\Your Assistant 4.1\Assemblies\YA.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ultra Hal Text-to-Speech Reader Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {23B1A3A2-6D4F-40AA-A9F8-319C9AE44A90} (FPWebVersionCheckerOCX.FPVersionOCX) - http://clearview.bmcsolutions.com/Cl...CheckerOCX.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://blackboard.webex.com/client/...br/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7650 bytes

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-30 16:01:25
PROTECTIONS: 2
MALWARE: 18
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec Antivirus Corporate Edition 8.0 No Yes
Norton Antivirus Edition 7.5 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020900 spyware/apropos Spyware No 1 Yes No hkey_local_machine\software\autoloader
00132734 adware/24-7-search Adware No 0 Yes No c:\windows\system32\unppc.exe
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\PORTON\Cookies\porton@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\PORTON\Cookies\porton@apmebf[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\PORTON\Cookies\porton@server.iad.liveperson[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\PORTON\Cookies\porton@realmedia[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\PORTON\Cookies\porton@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\PORTON\Cookies\porton@adrevolver[1].txt
00223416 Application/Redswoosh HackTools No 0 Yes No C:\Program Files\RSNet\RSEDNClientUninstaller.exe
00223416 Application/Redswoosh HackTools No 0 Yes No C:\WINDOWS\RSEDNClientUninstaller.exe
00522961 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\PORTON\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-5217334b[MagicApplet.class]
00522968 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\PORTON\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-5217334b[OwnClassLoader.class]
00527204 Application/PRScheduler HackTools No 0 Yes No C:\DOCUMENTS AND SETTINGS\PORTON\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE
02937396 Java/Downloader.TOP Virus/Trojan No 0 Yes No C:\Documents and Settings\PORTON\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-5217334b[Installer.class]
02985424 Application/AdvancedXPFixer HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1040\A0060741.exe
03008450 Adware/AdvancedXPFixer Adware No 0 Yes No C:\Documents and Settings\PORTON\Local Settings\Temp\.tt80D.tmp
03008451 Application/AdvancedXPFixer HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1040\A0059970.dll
03008451 Application/AdvancedXPFixer HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060869.dll
03008451 Application/AdvancedXPFixer HackTools No 0 Yes No C:\Program Files\rhcgquj0e91e\rhcgquj0e91eSkin.dll
03008451 Application/AdvancedXPFixer HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1040\A0060742.dll
03008451 Application/AdvancedXPFixer HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060862.dll
03104923 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060861.exe
03128601 Adware/MalwareProtector2008 Adware Yes 0 Yes No C:\WINDOWS\SYSTEM32\PPHCLQUJ0E91E.EXE
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\WINDOWS\SYSTEM32\7.tmp
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\WINDOWS\SYSTEM32\9.tmp
03128601 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1040\A0060737.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\PROGRAM FILES\RHCGQUJ0E91E\RHCGQUJ0E91E.EXE
No C:\WINDOWS\SYSTEM32\BLPHCLQUJ0E91E.SCR
No C:\WINDOWS\SYSTEM32\LPHCLQUJ0E91E.EXE
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
;===================================================================================================================================================================================

[greyknight17]

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebyt...are_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Go to http://www.bleepingcomputer.com/comb...o-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

[lihp67]

Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 5.1.2600 Service Pack 2

8:57:37 AM 7/2/2008
mbam-log-7-2-2008 (08-57-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106129
Time elapsed: 47 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 14
Files Infected: 31

Memory Processes Infected:
C:\WINDOWS\SYSTEM32\sysrest32.exe (Rootkit.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\PORTON\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008 (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\PORTON\Local Settings\Temp\.tt80D.tmp (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1040\A0060737.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1040\A0060741.exe (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060845.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060846.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060848.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060861.exe (Rogue.MalwareProtector) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060862.dll (Rogue.MalwareProtector) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1041\A0060869.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphclquj0e91e.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pphclquj0e91e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphclquj0e91e.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phclquj0e91e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk (Rogue.MalwareProtector2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\PORTON\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

ComboFix 08-07-01.5 - PORTON 2008-07-02 13:19:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT -4:00]
Running from: C:\Documents and Settings\PORTON\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\igfxhk.dll

----- BITS: Possible infected sites -----

hxxp://bmc
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 08:04 . 2008-07-02 08:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-02 08:04 . 2008-07-02 08:04 <DIR> d-------- C:\Documents and Settings\PORTON\Application Data\Malwarebytes
2008-07-02 08:04 . 2008-07-02 08:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 08:04 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-02 08:04 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-30 09:42 . 2008-06-30 09:42 <DIR> d-------- C:\Documents and Settings\PORTON\Application Data\shcjquj0e91e
2008-06-30 09:28 . 2008-06-30 09:28 <DIR> d-------- C:\Program Files\Panda Security
2008-06-30 09:13 . 2008-06-30 09:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-27 16:51 . 2008-06-27 16:51 <DIR> d-------- C:\Documents and Settings\PORTON\Application Data\rhcgquj0e91e
2008-06-25 08:56 . 2008-06-25 08:56 <DIR> d-------- C:\Program Files\NetObjects
2008-06-11 09:35 . 2008-06-11 09:35 <DIR> d-------- C:\Documents and Settings\PORTON\Application Data\Apple Computer
2008-06-11 09:29 . 2008-06-11 09:30 <DIR> d-------- C:\Program Files\QuickTime
2008-06-11 09:29 . 2008-06-11 09:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-11 09:29 . 2008-06-11 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-11 09:29 . 2008-06-11 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-11 09:24 . 2008-06-11 09:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 09:24 . 2008-06-11 09:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 08:23 . 2008-06-10 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-04 16:56 . 2008-02-29 16:22 663,552 --------- C:\WINDOWS\SYSTEM32\FPWebSysUtilsCBO.dll
2008-06-04 16:52 . 2008-06-04 16:52 <DIR> d-------- C:\Program Files\MSSOAP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 13:25 --------- d-----w C:\Program Files\Viewpoint
2008-06-30 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-30 13:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-30 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 13:22 --------- d-----w C:\Program Files\LimeWire
2008-06-04 20:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-01 16:43 --------- d-----w C:\Program Files\Lavasoft
2008-06-01 16:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 15:42 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-01 15:42 --------- d-----w C:\Documents and Settings\PORTON\Application Data\SUPERAntiSpyware.com
2008-06-01 15:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-01 15:03 0 --sha-w C:\Documents and Settings\PORTON\Application Data\0000000000CHEV1.dat
2008-05-30 19:21 14,336 ----a-w C:\Documents and Settings\PORTON\Application Data\zibqy.exe
2006-08-31 17:19 842,573 ------w C:\Documents and Settings\PORTON\351207.exe
2003-04-12 17:39 207,759 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM95\aim.exe" [2005-08-05 16:08 67160]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2005-02-25 20:28 212992]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"P3000x_S2P"="C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 15:44 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cscript" [X]

C:\Documents and Settings\PORTON\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-05-29 10:24:34 225280]
Your Assistant 4.1.lnk - C:\Program Files\Mitel Networks\Your Assistant 4.1\Assemblies\YA.exe [2008-01-28 14:49:06 24576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Ultra Hal Text-to-Speech Reader Startup.lnk - C:\WINDOWS\Installer\{96EF451E-A402-44D8-BAEE-D70D558A4122}\New_Shortcut_S1449_0EB7CDB78E0C4A918D2CA535D5B8160C.exe [2005-09-23 08:16:35 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe"=
"C:\\Sierra\\Half-Life\\hl.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\postal\\Postal 1\\Postal\\POSTAL.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mitel Networks\\Your Assistant 4.1\\Assemblies\\YA.exe"=
"C:\\Program Files\\Mitel Networks\\Your Assistant 4.1\\Bin\\wave.exe"=
"C:\\Program Files\\Mitel Networks\\YACC\\YACC.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)


.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 15:30:43 C:\WINDOWS\Tasks\AutoDefrag.job"
- C:\AutoDefrag.exe
"2008-06-30 13:00:12 C:\WINDOWS\Tasks\IMG_0456.job"
- C:\Documents and Settings\Administrator\My Documents\My Pictures\Dell Image Expert Images\October 13, 2005\IMG_0456.JPG
"2008-06-30 13:00:15 C:\WINDOWS\Tasks\IMG_0457.job"
- C:\Documents and Settings\Administrator\My Documents\My Pictures\Dell Image Expert Images\October 13, 2005\IMG_0457.JPG
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{BBCC158F-F8E5-5DBD-E0A0-34F087D175F2} - (no file)
HKCU-RunServices-Windows iMessenger Messenger - winimsg.exe
HKLM-Run-Run RunOnce - D:\RunOnce.exe
HKLM-Run-Windows iMessenger Messenger - winimsg.exe
HKLM-RunServices-Windows iMessenger Messenger - winimsg.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 13:28:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows iMessenger Messenger = winimsg.exe?
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows iMessenger Messenger = winimsg.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Zabaware\HalReader\HalReader.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Mitel Networks\Your Assistant 4.1\Bin\wave.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-02 13:38:21 - machine was rebooted [PORTON]
ComboFix-quarantined-files.txt 2008-07-02 17:38:08

Pre-Run: 2,785,382,400 bytes free
Post-Run: 2,927,362,048 bytes free

160 --- E O F --- 2007-09-15 07:05:49

[greyknight17]

Uninstall Viewpoint via the Add/Remove Programs panel.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Quote:

File::
C:\Documents and Settings\PORTON\Application Data\0000000000CHEV1.dat
C:\Documents and Settings\PORTON\Application Data\zibqy.exe
c:\windows\system32\winimsg.exe
Folder::
C:\Documents and Settings\PORTON\Application Data\shcjquj0e91e
C:\Documents and Settings\PORTON\Application Data\rhcgquj0e91e
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows iMessenger Messenger"=-
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows iMessenger Messenger"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

I want you to upload this file (C:\Documents and Settings\PORTON\351207.exe) to http://virusscan.jotti.org and report back what it found.

[lihp67]

Hello....the virusscan.jotti.org found nothing on the file "351207.exe", said it was ok. I'm not sure what that file is, it's dated 2006. Also, "viewpoint" didn't show up in my list of programs to uninstall under add/remove rograms.

ComboFix 08-07-01.5 - PORTON 2008-07-02 20:00:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.114 [GMT -4:00]
Running from: C:\Documents and Settings\PORTON\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\PORTON\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\PORTON\Application Data\0000000000CHEV1.dat
C:\Documents and Settings\PORTON\Application Data\zibqy.exe
c:\windows\system32\winimsg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1054744159.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1201717735.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1257552095.712536053
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1344019565.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1476482372.712535979
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1550700062.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1675323418.713836840
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1744624506.713836803
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1767541886.713836716
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1792851963.712535981
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-1808475205.MTS
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-398762564.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-685991849.712535954
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-708065856.713836749
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-732913299.712536002
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-763019087.713836937
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\-96559883.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\1461440338.712535953
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\1564877131.712535908
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\1989748647.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\385814962.712536011
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\501688438.712536046
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\557102755.JPG
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-1041161462.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-1087044874.MZV
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-1216699398.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-167467785.712535921
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-1735078747.713836821
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-198043659.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-2040853405.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-378119151.712535947
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-547239967.MZV
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-579180378.MTS
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-583022627.712535910
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-787478019.712535915
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\-982355842.712536070
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1176327029.713836865
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1220223377.712535992
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1247495568.712535999
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\1304666343.712536034
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\27862614.JPG
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\346281577.713836896
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\512589962.712536028
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\570073743.713863076
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\768763562.712535994
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\860502393.712536026
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\925975223.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1140250495.713836908
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1149444489.712536068
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1219180738.713836830
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1270717649.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1403121499.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1438713594.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1610302144.712536009
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1651440994.712535931
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1801392204.712535990
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1817435829.712536059
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-1819899927.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-2034384745.713836872
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-2090409827.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-2108356295.712535989
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-243470204.712536022
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-300725744.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-39200077.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-41890203.712536041
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-484435281.MZV
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-579180353.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-582640680.712536049
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-668285516.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-72580264.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-764272172.712535942
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-850962371.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\-958672350.SWF
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\1229517749.712535939
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\1385903037.713836769
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\143415706.712536017
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\1520622600.712535996
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\172992995.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\245720689.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\407034558.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\434599021.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\518054506.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\541804657.JPG
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1037005395.713836741
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1106322216.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1294591352.712536065
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1307685966.713836843
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1603077681.712535983
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1625577909.713836700
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1720476204.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1799102199.713836711
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1808475262.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1877319710.713836793
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-1926077123.712535997
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-583862537.712536063
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-66919675.712536043
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-851322353.SWF
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\-917676683.SWF
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1071317150.713836906
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\119964245.713836888
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1382942631.713836864
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1385887584.713836838
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1418335590.713836807
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1642019882.MTZ
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1669572585.712536032
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1838517554.712536007
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\1981051985.SWF
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\2021793278.712535944
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\489659170.712536061
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\581741786.713836754
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\582067880.712535985
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\746857229.713836914
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\770800983.712535978
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\879056853.712535933
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\932053967.712536014
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\980018594.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint\Resources\UpdateVersionList_v2.mtx
C:\Documents and Settings\PORTON\Application Data\0000000000CHEV1.dat
C:\Documents and Settings\PORTON\Application Data\rhcgquj0e91e
C:\Documents and Settings\PORTON\Application Data\shcjquj0e91e
C:\Documents and Settings\PORTON\Application Data\zibqy.exe
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1605689037.MTZ
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\253621806.fdg
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\253621806.mtx
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\294426286.MTZ
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1231589966.swf
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-308795830.MTZ
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1048055447.swf
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1048088743.mtz
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\898252083.MTZ
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 08:04 . 2008-07-02 08:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-02 08:04 . 2008-07-02 08:04 <DIR> d-------- C:\Documents and Settings\PORTON\Application Data\Malwarebytes
2008-07-02 08:04 . 2008-07-02 08:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 08:04 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-02 08:04 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-30 09:28 . 2008-06-30 09:28 <DIR> d-------- C:\Program Files\Panda Security
2008-06-30 09:13 . 2008-06-30 09:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 08:56 . 2008-06-25 08:56 <DIR> d-------- C:\Program Files\NetObjects
2008-06-11 09:35 . 2008-06-11 09:35 <DIR> d-------- C:\Documents and Settings\PORTON\Application Data\Apple Computer
2008-06-11 09:29 . 2008-06-11 09:30 <DIR> d-------- C:\Program Files\QuickTime
2008-06-11 09:29 . 2008-06-11 09:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-11 09:29 . 2008-06-11 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-11 09:29 . 2008-06-11 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-11 09:24 . 2008-06-11 09:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-11 09:24 . 2008-06-11 09:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 08:23 . 2008-06-10 08:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-04 16:56 . 2008-02-29 16:22 663,552 --------- C:\WINDOWS\SYSTEM32\FPWebSysUtilsCBO.dll
2008-06-04 16:52 . 2008-06-04 16:52 <DIR> d-------- C:\Program Files\MSSOAP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 13:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-30 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 13:22 --------- d-----w C:\Program Files\LimeWire
2008-06-04 20:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-01 16:43 --------- d-----w C:\Program Files\Lavasoft
2008-06-01 16:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 15:42 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-01 15:42 --------- d-----w C:\Documents and Settings\PORTON\Application Data\SUPERAntiSpyware.com
2008-06-01 15:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-06 20:28 86,016 ------w C:\WINDOWS\SYSTEM32\FPWebProgressBarEXE.exe
2006-08-31 17:19 842,573 ------w C:\Documents and Settings\PORTON\351207.exe
2003-04-12 17:39 207,759 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-07-02_13.37.47.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:48 98,304 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cscript.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM95\aim.exe" [2005-08-05 16:08 67160]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2005-02-25 20:28 212992]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"P3000x_S2P"="C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 15:44 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cscript" [X]

C:\Documents and Settings\PORTON\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-05-29 10:24:34 225280]
Your Assistant 4.1.lnk - C:\Program Files\Mitel Networks\Your Assistant 4.1\Assemblies\YA.exe [2008-01-28 14:49:06 24576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Ultra Hal Text-to-Speech Reader Startup.lnk - C:\WINDOWS\Installer\{96EF451E-A402-44D8-BAEE-D70D558A4122}\New_Shortcut_S1449_0EB7CDB78E0C4A918D2CA535D5B8160C.exe [2005-09-23 08:16:35 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe"=
"C:\\Sierra\\Half-Life\\hl.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\postal\\Postal 1\\Postal\\POSTAL.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mitel Networks\\Your Assistant 4.1\\Assemblies\\YA.exe"=
"C:\\Program Files\\Mitel Networks\\Your Assistant 4.1\\Bin\\wave.exe"=
"C:\\Program Files\\Mitel Networks\\YACC\\YACC.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)


.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 15:30:28 C:\WINDOWS\Tasks\AutoDefrag.job"
- C:\AutoDefrag.exe
"2008-07-02 13:00:00 C:\WINDOWS\Tasks\IMG_0456.job"
- C:\Documents and Settings\Administrator\My Documents\My Pictures\Dell Image Expert Images\October 13, 2005\IMG_0456.JPG
"2008-07-02 13:00:00 C:\WINDOWS\Tasks\IMG_0457.job"
- C:\Documents and Settings\Administrator\My Documents\My Pictures\Dell Image Expert Images\October 13, 2005\IMG_0457.JPG
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 20:05:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-07-02 20:08:29
ComboFix-quarantined-files.txt 2008-07-03 00:08:18
ComboFix2.txt 2008-07-02 17:38:22

Pre-Run: 2,881,036,288 bytes free
Post-Run: 2,862,399,488 bytes free

306 --- E O F --- 2007-09-15 07:05:49

[greyknight17]

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

[lihp67]

Looks good to go, thanks a million!