Pop ups on I.E. Backdoor Trojan, help please deckards included

summit15 · 07-31-2008, 02:33 PM

Hi, I have constant random pop ups on Internet Explorer. I have McAfee 2008 and it did not fix. I have tried Spyware Doctor 2008 but it did not remove the problem. The maliciuos trojan is a back door virus. I have followed your 5 step method. I did spyware blaster and Zone out as describe and Panda 2.0.

I have windows XP home edition with service pack 3 updated

Here is my main file from the deckard scanner. I will attach the extra.txt from deckard the acitve scan report from Panda and zone out failure report.

Here is the Main text from Deckard:

Deckard's System Scanner v20071014.68
Run by Scott on 2008-07-31 16:58:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
44: 2008-07-31 20:58:27 UTC - RP1076 - Deckard's System Scanner Restore Point
43: 2008-07-30 22:21:33 UTC - RP1075 - Removed Desktop Doctor
42: 2008-07-30 21:56:36 UTC - RP1074 - Last known good configuration
41: 2008-07-30 14:17:03 UTC - RP1073 - Software Distribution Service 3.0
40: 2008-07-29 19:56:43 UTC - RP1072 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-06-29 19:02:15 UTC - RP1033 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Scott.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:48 PM, on 7/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Documents and Settings\Scott\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Scott.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {28030FA8-2428-4DE6-B0F3-CE9494E1A412} - C:\WINDOWS\system32\vtUlJcDS.dll
O2 - BHO: {25697aa1-1325-fd28-50d4-6d583de133d2} - {2d331ed3-85d6-4d05-82df-52311aa79652} - C:\WINDOWS\system32\kbsozf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D1EEEA14-EDCE-459A-8244-83C56E4E32AC} - C:\WINDOWS\system32\rqRLFvuu.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
O4 - HKLM\..\Run: [lanmanwrk.exe clean] C:\WINDOWS\System32\lanmanwrk.exe clean
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186328631921
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: vtUlJcDS - C:\WINDOWS\SYSTEM32\vtUlJcDS.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9469 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,7
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,6

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Winms30 - c:\windows\system32\drivers\winms30.sys
R1 lanmandrv - c:\windows\system32\lanmandrv.sys
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S3 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)
S3 VNUSB (VN Series Device) - c:\windows\system32\drivers\vnusb.sys <Not Verified; OLYMPUS OPTICAL CO.,LTD.; VVRUSB Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro L7700
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet Pro L7700
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro L7700
Device ID: ROOT\PRINTER\0000
Manufacturer: HP
Name: Officejet Pro L7700
PNP Device ID: ROOT\PRINTER\0000
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-07-31 17:00:56 438 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-07-31 07:29:24 372 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-07-27 23:01:38 332 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-07-27 23:01:38 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 17:01:25 0 d-------- C:\Program Files\Trend Micro
2008-07-31 14:13:17 0 d-------- C:\Program Files\SpywareBlaster
2008-07-31 09:23:42 0 d-------- C:\Program Files\Panda Security
2008-07-31 07:35:23 724 --a------ C:\WINDOWS\system32\qmopt.dll
2008-07-31 00:00:35 99712 --a------ C:\WINDOWS\system32\eglntsuv.dll
2008-07-30 23:57:44 120960 --a------ C:\WINDOWS\system32\kbsozf.dll
2008-07-30 23:57:43 120960 --a------ C:\WINDOWS\system32\qvovknxx.dll
2008-07-30 23

41 8064 --a------ C:\WINDOWS\system32\lanmandrv.sys
2008-07-30 22:46:51 0 d-------- C:\Program Files\Spyware Doctor
2008-07-30 22:46:51 0 d-------- C:\Documents and Settings\Scott\Application Data\PC Tools
2008-07-30 20:00:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-30 19:38:04 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-30 17:59:16 120960 --a------ C:\WINDOWS\system32\kjhvgw.dll
2008-07-30 17:59:15 120960 --a------ C:\WINDOWS\system32\uaaoimxb.dll
2008-07-30 17:57:09 99712 --a------ C:\WINDOWS\system32\phqvkjwj.dll
2008-07-30 17:56:15 672052 --ahs---- C:\WINDOWS\system32\uuvFLRqr.ini2
2008-07-30 17:56:10 323328 --a------ C:\WINDOWS\system32\rqRLFvuu.dll
2008-07-30 17:56:02 16896 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-07-30 17:51:07 34176 --a------ C:\WINDOWS\system32\qoMgdcay.dll
2008-07-30 17:51:06 34176 --a------ C:\WINDOWS\system32\vtUlJcDS.dll
2008-07-29 16:23:55 0 d-------- C:\WINDOWS\Prefetch
2008-07-29 16:14:44 0 d-------- C:\WINDOWS\system32\scripting
2008-07-29 16:14:42 0 d-------- C:\WINDOWS\l2schemas
2008-07-29 16:14:41 0 d-------- C:\WINDOWS\system32\en
2008-07-29 16:14:41 0 d-------- C:\WINDOWS\system32\bits
2008-07-29 16:11:26 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-29 16:00:24 0 d-------- C:\WINDOWS\EHome
2008-07-29 15:11:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-07-29 15:08:18 0 d-------- C:\Documents and Settings\Scott\Application Data\Citrix
2008-07-29 14:57:29 0 d-------- C:\Documents and Settings\Scott\Application Data\McAfee
2008-07-28 08:17:06 0 d-------- C:\Program Files\RegCure
2008-07-27 23:05:04 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-27 23:05:04 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-27 23:04:57 0 d-------- C:\Program Files\SiteAdvisor
2008-07-27 23:04:57 0 d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2008-07-27 23:04:57 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-27 23:04:43 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-07-27 23:01:20 0 d-------- C:\Program Files\McAfee.com
2008-07-27 23:01:11 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-27 23:01:03 0 d-------- C:\Program Files\McAfee
2008-07-27 22:54:54 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 20:39:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-24 19:11:28 0 d-------- C:\WINDOWS\system32\N360_BACKUP
2008-07-20 13:00:26 0 d--hs---- C:\FOUND.028
2008-07-18 10:00:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-18 09:28:20 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-07-16 09:24:42 0 d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search
2008-07-16 09:23:25 0 d-------- C:\Program Files\Windows Desktop Search
2008-07-16 08:55:38 0 d-------- C:\Program Files\Microsoft Works
2008-07-16 08:54:34 0 d-------- C:\Program Files\Microsoft.NET
2008-07-16 08:50:12 0 d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help
2008-07-16 08:49:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 08:49:08 0 dr-h----- C:\MSOCache
2008-07-09 03:00:57 0 d-------- C:\Program Files\MSXML 6.0
2008-07-08 20:30:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-08 20:30:34 0 d-------- C:\Documents and Settings\Scott\Application Data\Roxio
2008-07-08 20:25:06 0 d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop
2008-07-08 20:20:58 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-08 20:20:47 0 d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion
2008-07-08 20:14:48 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-08 20:14:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-08 20:09:50 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-08 20:09:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-08 20:09:32 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-08 19:54:23 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-07-08 19:52:42 0 d-------- C:\Program Files\Common Files\Research In Motion
2008-07-08 19:52:23 0 d-------- C:\Program Files\Research In Motion
2008-07-03 12:54:52 0 d--hs---- C:\FOUND.027

-- Find3M Report ---------------------------------------------------------------

2008-07-29 16:40:30 48248 --a------ C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 08:24:42 214297118 --a------ C:\Program Files\Outlook_2007_EN.zip
2008-06-26 10:44:32 8704 --a------ C:\Documents and Settings\Scott\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28030FA8-2428-4DE6-B0F3-CE9494E1A412}]
07/30/2008 05:51 PM 34176 --a------ C:\WINDOWS\system32\vtUlJcDS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d331ed3-85d6-4d05-82df-52311aa79652}]
07/30/2008 11:57 PM 120960 --a------ C:\WINDOWS\system32\kbsozf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1EEEA14-EDCE-459A-8244-83C56E4E32AC}]
07/30/2008 05:56 PM 323328 --a------ C:\WINDOWS\system32\rqRLFvuu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lanmanwrk.exe"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [4/21/2005 8:40:28 AM]
PowerReg Scheduler V3.exe [7/21/2005 7:20:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]
"{28030FA8-2428-4DE6-B0F3-CE9494E1A412}"= C:\WINDOWS\system32\vtUlJcDS.dll [07/30/2008 05:51 PM 34176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlJcDS]
vtUlJcDS.dll 07/30/2008 05:51 PM 34176 C:\WINDOWS\SYSTEM32\vtUlJcDS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 07/31/2008 01:57 PM 16896 C:\WINDOWS\SYSTEM32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRLFvuu

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lanmanwrk.exe clean]
C:\WINDOWS\System32\lanmanwrk.exe clean

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
"C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
HPService HPSLPSVC
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

-- End of Deckard's System Scanner: finished at 2008-07-31 17:04:18 ------------

summit15 · 08-03-2008, 09:39 AM

bump, please help!!!

**TheBruce1** · 08-04-2008, 05:34 AM

Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present.

Please Do Not Attach logs to your posts unless you are advised to do so.

========

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

=========

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with all the required logs

==========

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

===========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===========
Logs Required
Report.txt
C:\Combofix.txt
Hijackthis Log

summit15 · 08-04-2008, 09:59 AM

I have followed your instructions and am attaching the three logs you requested.

I still seem to have pop ups randomly. I had to log into this website 3 time to be able to post.

Please let me know what I need to do next.

I have set up instant message but it does not go into my email?

SDFix: Version 1.212
Run by Scott on Mon 08/04/2008 at 11:27 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\vtUlJcDS.dll - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\system32\qmopt.dll - Deleted
C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\nvrsul32.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 11:41:16
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"D:\\setup\\HPZnui01.exe"="D:\\setup\\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 18 Dec 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Wed 4 Aug 2004 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Sun 13 Apr 2008 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Mon 25 Dec 2006 4,348 ..SH. --- "C:\WINDOWS\DRM\DRMv1.bak"
Thu 21 Dec 2000 110,080 A.SHR --- "C:\WINDOWS\COMMAND\EBD\WINBOOT.SYS"
Mon 26 Nov 2007 0 A.SH. --- "C:\WINDOWS\DRM\Cache\Indiv02.tmp"
Mon 21 Jan 2008 0 A.SH. --- "C:\WINDOWS\DRM\Cache\Indiv01.tmp"
Sun 27 Jul 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sun 27 Jul 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7779524ce1b472c62f1b0f1a192676ad\BIT9.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\97de84be36b27af6e66a0586433cda52\BIT5.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ec3943a72ea4aa7fb7b808e2b7554c8\BIT6.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb1cc7c8ed3868a5a32ffb677fe0fde8\BITA.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9664ff6405d9e0e32778ca8618d4be26\BIT7.tmp"
Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c909c63b4fa217757574b9dcdd658c3\BIT8.tmp"
Tue 29 Mar 2005 27,136 A..H. --- "C:\Documents and Settings\Scott\My Documents\Emerald Passport\~WRL0005.tmp"
Tue 29 Oct 2002 36,352 A..H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL3192.tmp"
Mon 21 Apr 2008 38,912 ...H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL0998.tmp"
Wed 23 Apr 2008 38,912 ...H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL2780.tmp"
Fri 25 Apr 2008 30,720 ...H. --- "C:\Documents and Settings\Scott\My Documents\Resume\~WRL0881.tmp"
Tue 19 Nov 2002 19,968 A..H. --- "C:\Documents and Settings\Scott\My Documents\School fund raisers\~WRL1633.tmp"
Mon 24 Mar 2003 28,160 A..H. --- "C:\Documents and Settings\Scott\My Documents\School fund raisers\~WRL1893.tmp"
Mon 10 Mar 2003 24,576 A..H. --- "C:\Documents and Settings\Scott\My Documents\Wood Floor Business\~WRL1610.tmp"
Mon 29 Jan 2007 22,016 ...H. --- "C:\Documents and Settings\Scott\My Documents\unemployment\~WRL0003.tmp"
Mon 29 Jan 2007 30,720 ...H. --- "C:\Documents and Settings\Scott\My Documents\unemployment\~WRL0264.tmp"
Mon 29 Jan 2007 23,552 ...H. --- "C:\Documents and Settings\Scott\My Documents\unemployment\~WRL2792.tmp"
Tue 22 Apr 2008 20,992 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL1696.tmp"
Wed 23 Apr 2008 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL3581.tmp"
Wed 9 Nov 2005 19,456 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 9 Nov 2005 19,456 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL2562.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL1495.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL2729.tmp"
Wed 9 Nov 2005 20,480 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL3314.tmp"
Wed 9 Nov 2005 19,968 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL1868.tmp"
Sun 25 Nov 2007 20 A..H. --- "C:\Documents and Settings\Scott\Application Data\Real\Rhapsody\wmlicbackup\drmv1lic.bak"
Tue 27 Dec 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

=========

ComboFix 08-08-03.05 - Scott 2008-08-04 12:31:25.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.379 [GMT -4:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\#SharedObjects\DQ5DTTC7\interclick.com
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\#SharedObjects\DQ5DTTC7\interclick.com\ud.sol
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\autorun.inf
C:\WINDOWS\cookies.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\cejxqx.dll
C:\WINDOWS\system32\drivers\Winvc30.sys
C:\WINDOWS\system32\eauwwlpr.dll
C:\WINDOWS\SYSTEM32\kbrsjlha.ini
C:\WINDOWS\system32\kbsozf.dll
C:\WINDOWS\system32\kjhvgw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfeusbxv.ini
C:\WINDOWS\system32\nmrvmikf.ini
C:\WINDOWS\system32\qoMgdcay.dll
C:\WINDOWS\system32\qvovknxx.dll
C:\WINDOWS\system32\rqRLFvuu.dll
C:\WINDOWS\system32\uaaoimxb.dll
C:\WINDOWS\SYSTEM32\uuvFLRqr.ini
C:\WINDOWS\SYSTEM32\uuvFLRqr.ini2
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\ygosgcth.ini
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV
-------\Legacy_WINVC30
-------\Service_Winvc30

((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 12:27 . 2008-08-04 12:27 99,200 --a------ C:\WINDOWS\SYSTEM32\htcgsogy.dll
2008-08-04 11:25 . 2008-08-04 11:26 578,560 --a------ C:\WINDOWS\SYSTEM32\dllcache\user32.dll
2008-08-04 11:18 . 2008-08-04 11:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-04 11:12 . 2008-08-04 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-04 10:50 . 2008-08-03 04:12 <DIR> d-------- C:\SDFix
2008-08-03 12:26 . 2008-08-03 12:26 98,688 --a------ C:\WINDOWS\SYSTEM32\ahljsrbk.dll
2008-08-03 12:25 . 2008-08-03 12:25 130,432 --a------ C:\WINDOWS\SYSTEM32\vhthho.dll
2008-08-03 12:25 . 2008-08-03 12:25 130,432 --a------ C:\WINDOWS\SYSTEM32\aefyhhdx.dll
2008-08-02 08:39 . 2008-08-02 08:39 130,432 --a------ C:\WINDOWS\SYSTEM32\xfogrels.dll
2008-08-02 08:39 . 2008-08-02 08:39 130,432 --a------ C:\WINDOWS\SYSTEM32\sqwrpw.dll
2008-07-31 17:01 . 2008-07-31 17:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-31 16:57 . 2008-07-31 16:57 <DIR> d-------- C:\Deckard
2008-07-31 14:13 . 2008-07-31 14:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-31 14:12 . 2008-07-31 14:13 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe
2008-07-31 09:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-31 09:23 . 2008-07-31 09:23 <DIR> d-------- C:\Program Files\Panda Security
2008-07-31 00:00 . 2008-07-31 00:00 99,712 --a------ C:\WINDOWS\SYSTEM32\eglntsuv.dll
2008-07-30 22:47 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-07-30 22:47 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-07-30 22:47 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-07-30 22:47 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\PC Tools
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-30 17:57 . 2008-07-30 17:57 99,712 --a------ C:\WINDOWS\SYSTEM32\phqvkjwj.dll
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-29 16:11 . 2008-07-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-29 16:00 . 2008-07-29 16:00 <DIR> d-------- C:\WINDOWS\EHome
2008-07-29 15:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml6.dll
2008-07-29 15:55 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-07-29 15:55 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-29 15:55 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-07-29 15:55 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-07-29 15:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-07-29 15:55 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-07-29 15:55 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-07-29 15:53 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-07-29 15:52 . 2004-08-03 22:41 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2008-07-29 15:11 . 2008-07-29 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-07-29 15:08 . 2008-07-29 15:08 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Citrix
2008-07-29 14:57 . 2008-07-29 14:57 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\McAfee
2008-07-28 08:17 . 2008-07-28 08:17 <DIR> d-------- C:\Program Files\RegCure
2008-07-27 23:05 . 2008-07-27 23:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-27 23:05 . 2008-08-04 12:41 12,799 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-27 23:04 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-07-27 23:02 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-07-27 23:02 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-07-27 23:02 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-07-27 23:02 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-07-27 23:02 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-27 23:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-07-27 22:54 . 2008-07-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 20:39 . 2008-07-24 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-24 19:27 . 2008-07-24 19:27 860,840 --a------ C:\Program Files\Support-LogMeInRescue.exe
2008-07-24 19:11 . 2008-07-24 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\N360_BACKUP
2008-07-20 13:00 . 2008-07-20 13:00 <DIR> d--hs---- C:\FOUND.028
2008-07-18 10:00 . 2008-07-18 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-18 09:28 . 2008-07-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-07-16 09:24 . 2008-07-16 09:24 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search
2008-07-16 09:23 . 2008-07-16 09:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-07-16 08:55 . 2008-07-16 08:55 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-16 08:54 . 2008-07-16 08:54 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-16 08:50 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help
2008-07-16 08:49 . 2008-07-16 08:49 <DIR> dr-h----- C:\MSOCache
2008-07-16 08:49 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 08:24 . 2008-07-16 08:24 214,297,118 --a------ C:\Program Files\Outlook_2007_EN.zip
2008-07-09 03:00 . 2008-07-09 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Roxio
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-08 20:25 . 2008-07-08 20:25 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop
2008-07-08 20:20 . 2008-07-08 20:20 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion
2008-07-08 20:20 . 2008-07-21 17:34 256 --a------ C:\WINDOWS\SYSTEM32\pool.bin
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-08 19:54 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Common Files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 20:40 48,248 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
2008-07-29 19:08 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe
2008-07-16 22:32 10,946,560 ----a-w C:\Program Files\XPSEP XP and Server 2003 64 bit.msi
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-02-27 01:55 5,910,715 ----a-w C:\Program Files\Audit_Support_Center.exe
2007-08-05 17:09 18,568,192 ----a-w C:\Program Files\yie7setup_tb7_news.exe
2007-07-06 16:18 138,197 ----a-w C:\Program Files\ConfirmationLetter.pdf
2007-02-27 21:27 22,976,688 ----a-w C:\Program Files\stamps.exe
2006-04-08 16:32 1,515,898 ----a-w C:\Program Files\LOM.exe
2005-04-03 16:27 271 --sh--w C:\Program Files\desktop.ini
2005-04-03 16:27 23,357 ---h--w C:\Program Files\folder.htt
2003-08-20 22:40 289 ----a-w C:\Program Files\readme.html
2003-07-30 19:06 8,944 ----a-w C:\Program Files\Oj71WinXP.cat
2003-07-30 19:06 36,926 ----a-w C:\Program Files\oj71inst.cat
2003-06-25 06:43 16,384 ----a-w C:\Program Files\hpo9xmig.exe
2003-06-25 04:41 9,078 ----a-w C:\Program Files\Oj71WinXP.inf
2002-09-09 19:11 6,130 ----a-w C:\Program Files\Oj71Inst.inf
2001-02-17 08:12 22,048 ----a-w C:\Program Files\cocpyinf.dll
2004-08-04 16:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d55dc94e-9e30-4c2c-9f38-726d1855a464}]
2008-08-03 12:25 130432 --a------ C:\WINDOWS\system32\vhthho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"375113a0"="C:\WINDOWS\system32\htcgsogy.dll" [2008-08-04 12:27 99200]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-04-21 08:40:28 256000]
PowerReg Scheduler V3.exe [2005-07-21 07:20:00 225280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL sqwrpw.dll vhthho.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
--a------ 2007-11-30 05:42 1164576 C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
--a------ 2007-08-24 17:57 36640 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--------- 2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys [2002-12-17 12:27]
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys [2005-04-03 14:35]
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2005-04-03 14:35]
R2 hpqddsvc;HP CUE DeviceDiscovery Service;C:\WINDOWS\system32\svchost.exe [2008-04-13 20:12]
R2 MCSTRM;MCSTRM;C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-11-25 20:43]
R2 Net Driver HPZ12;Net Driver HPZ12;C:\WINDOWS\System32\svchost.exe [2008-04-13 20:12]
R2 NVSvc;NVIDIA Driver Helper Service;C:\WINDOWS\system32\nvsvc32.exe [2001-11-15 16:12]
R2 SiteAdvisor Service;SiteAdvisor Service;C:\Program Files\SiteAdvisor\6261\SAService.exe [2008-07-29 08:02]
R2 WSearch;Windows Search;C:\WINDOWS\system32\SearchIndexer.exe [2007-02-05 15:34]
R3 ctljystk;Creative SBLive! Gameport;C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 12:19]
R3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver;C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS [2001-08-17 12:11]
R3 hpqcxs08;hpqcxs08;C:\WINDOWS\system32\svchost.exe [2008-04-13 20:12]
R3 HPSLPSVC;HP Network Devices Support;C:\WINDOWS\system32\svchost.exe [2008-04-13 20:12]
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys [2005-04-03 14:35]
R3 RimVSerPort;RIM Virtual Serial Port v2;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 13:53]
S0 Winms30;Winms30;C:\WINDOWS\system32\Drivers\Winms30.sys []
S3 dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 14:39]
S3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 13:47]
S3 dot4usb;Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 13:47]
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys [2005-04-03 14:35]
S3 odserv;Microsoft Office Diagnostics Service;C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 19:49]
S3 RimUsb;BlackBerry Smartphone;C:\WINDOWS\system32\Drivers\RimUsb.sys [2007-05-31 13:39]
S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 15:29]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb;C:\WINDOWS\system32\Drivers\wpdusb.sys [2006-10-18 20:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-28 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-04 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\SYSTEM\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 12:41:12
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\htcgsogy.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\MCAFEE\MPF\MPFSRV.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-04 12:45:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-04 16:45:16

Pre-Run: 16,506,191,872 bytes free
Post-Run: 16,501,080,064 bytes free

373 --- E O F --- 2008-07-30 14:17:32

==========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:15 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {464a5581-d627-83f9-c2c4-03e9e49cd55d} - {d55dc94e-9e30-4c2c-9f38-726d1855a464} - C:\WINDOWS\system32\vhthho.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [375113a0] rundll32.exe "C:\WINDOWS\system32\htcgsogy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186328631921
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - AppInit_DLLs: NVDESK32.DLL sqwrpw.dll vhthho.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8477 bytes

**TheBruce1** · 08-04-2008, 12:31 PM

Hello again

Download ATF-Cleaner by Atribune to your desktop. Do not run just yet, we will shortly

=============

Open notepad and copy/paste the text in the quotebox below into it:
Please include the link into notepad

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/275480-pop-ups-i-e-backdoor-trojan-help-please-deckards-included.html#post1630221

Collect::
C:\WINDOWS\SYSTEM32\htcgsogy.dll
C:\WINDOWS\SYSTEM32\ahljsrbk.dll
C:\WINDOWS\SYSTEM32\vhthho.dll
C:\WINDOWS\SYSTEM32\aefyhhdx.dll
C:\WINDOWS\SYSTEM32\xfogrels.dll
C:\WINDOWS\SYSTEM32\sqwrpw.dll
C:\WINDOWS\SYSTEM32\eglntsuv.dll
C:\WINDOWS\SYSTEM32\phqvkjwj.dll
File::
C:\WINDOWS\uccspecc.sys
Driver::
symlcsvc
Folder::
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Program Files\Common Files\Symantec Shared
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d55dc94e-9e30-4c2c-9f38-726d1855a464}]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

=============

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=============

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

Animated Tutorial Here

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

============

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

============
Logs Required
C:\Combofix.txt
Kaspersky Scan Report
Hijackthis Log

How is your system behaving now.

summit15 · 08-04-2008, 07:12 PM

Hi,

I ran the combo fix with the CFscript and sent the report to Bleeping computer and attached it to this thread.

I performed the ATF Cleaner and deleted what you indicated.

I ran the Kaspersky scan and attached it to this post along with the lastest highjack this scan.

I have used the computer, surfed the internet with IE7, used my outlook 2007 (both accounts) and have not had any problems yet.

The computer seems to be faster also.

I keep having windows update notify me of new downloads, but I am hesitant that it might be a trick. So I am not going to install unless you can tell me how to verify it is authentic.

For some reason, my HP 7700 printer keeps changing settings to "photo paper", "mirror printing on", and best printing. I have to manually change these back or it prints backward, (right to left)

If all the scans look back to normal, I can't thank you enough. This has been a nightmare trying to fix the computer before I found this forum.

Why doesn't McAfee stop these virus's? I am thinking of getting Karpesky Anti-virus. What do find to be the best one out there now?

ComboFix 08-08-03.05 - Scott 2008-08-04 16:47:51.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.381 [GMT -4:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\aefyhhdx.dll
C:\WINDOWS\SYSTEM32\ahljsrbk.dll
C:\WINDOWS\SYSTEM32\eglntsuv.dll
C:\WINDOWS\SYSTEM32\htcgsogy.dll
C:\WINDOWS\SYSTEM32\phqvkjwj.dll
C:\WINDOWS\SYSTEM32\sqwrpw.dll
C:\WINDOWS\SYSTEM32\vhthho.dll
C:\WINDOWS\SYSTEM32\xfogrels.dll
C:\WINDOWS\SYSTEM32\ygosgcth.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 13:33 . 2008-08-04 13:33 <DIR> d--hs---- C:\FOUND.029
2008-08-04 11:25 . 2008-08-04 11:26 578,560 --a------ C:\WINDOWS\SYSTEM32\dllcache\user32.dll
2008-08-04 11:18 . 2008-08-04 11:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-04 11:12 . 2008-08-04 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-04 10:50 . 2008-08-03 04:12 <DIR> d-------- C:\SDFix
2008-07-31 17:01 . 2008-07-31 17:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-31 16:57 . 2008-07-31 16:57 <DIR> d-------- C:\Deckard
2008-07-31 14:13 . 2008-07-31 14:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-31 14:12 . 2008-07-31 14:13 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe
2008-07-31 09:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-31 09:23 . 2008-07-31 09:23 <DIR> d-------- C:\Program Files\Panda Security
2008-07-30 22:47 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-07-30 22:47 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-07-30 22:47 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-07-30 22:47 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\PC Tools
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-29 16:11 . 2008-07-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-29 16:00 . 2008-07-29 16:00 <DIR> d-------- C:\WINDOWS\EHome
2008-07-29 15:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml6.dll
2008-07-29 15:55 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-07-29 15:55 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-29 15:55 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-07-29 15:55 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-07-29 15:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-07-29 15:55 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-07-29 15:55 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-07-29 15:53 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-07-29 15:52 . 2004-08-03 22:41 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2008-07-29 15:11 . 2008-07-29 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-07-29 15:08 . 2008-07-29 15:08 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Citrix
2008-07-29 14:57 . 2008-07-29 14:57 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\McAfee
2008-07-28 08:17 . 2008-07-28 08:17 <DIR> d-------- C:\Program Files\RegCure
2008-07-27 23:05 . 2008-07-27 23:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-27 23:05 . 2008-08-04 16:54 2,677 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-27 23:04 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-07-27 23:02 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-07-27 23:02 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-07-27 23:02 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-07-27 23:02 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-07-27 23:02 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-27 23:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-07-27 22:54 . 2008-07-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 20:39 . 2008-07-24 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-24 19:27 . 2008-07-24 19:27 860,840 --a------ C:\Program Files\Support-LogMeInRescue.exe
2008-07-24 19:11 . 2008-07-24 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\N360_BACKUP
2008-07-20 13:00 . 2008-07-20 13:00 <DIR> d--hs---- C:\FOUND.028
2008-07-18 10:00 . 2008-07-18 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-18 09:28 . 2008-07-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-07-16 09:24 . 2008-07-16 09:24 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search
2008-07-16 09:23 . 2008-07-16 09:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-07-16 08:55 . 2008-07-16 08:55 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-16 08:54 . 2008-07-16 08:54 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-16 08:50 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help
2008-07-16 08:49 . 2008-07-16 08:49 <DIR> dr-h----- C:\MSOCache
2008-07-16 08:49 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 08:24 . 2008-07-16 08:24 214,297,118 --a------ C:\Program Files\Outlook_2007_EN.zip
2008-07-09 03:00 . 2008-07-09 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Roxio
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-08 20:25 . 2008-07-08 20:25 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop
2008-07-08 20:20 . 2008-07-08 20:20 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion
2008-07-08 20:20 . 2008-07-21 17:34 256 --a------ C:\WINDOWS\SYSTEM32\pool.bin
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-08 19:54 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Common Files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 20:40 48,248 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
2008-07-29 19:08 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe
2008-07-16 22:32 10,946,560 ----a-w C:\Program Files\XPSEP XP and Server 2003 64 bit.msi
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-02-27 01:55 5,910,715 ----a-w C:\Program Files\Audit_Support_Center.exe
2007-08-05 17:09 18,568,192 ----a-w C:\Program Files\yie7setup_tb7_news.exe
2007-07-06 16:18 138,197 ----a-w C:\Program Files\ConfirmationLetter.pdf
2007-02-27 21:27 22,976,688 ----a-w C:\Program Files\stamps.exe
2006-04-08 16:32 1,515,898 ----a-w C:\Program Files\LOM.exe
2005-04-03 16:27 271 --sh--w C:\Program Files\desktop.ini
2005-04-03 16:27 23,357 ---h--w C:\Program Files\folder.htt
2003-08-20 22:40 289 ----a-w C:\Program Files\readme.html
2003-07-30 19:06 8,944 ----a-w C:\Program Files\Oj71WinXP.cat
2003-07-30 19:06 36,926 ----a-w C:\Program Files\oj71inst.cat
2003-06-25 06:43 16,384 ----a-w C:\Program Files\hpo9xmig.exe
2003-06-25 04:41 9,078 ----a-w C:\Program Files\Oj71WinXP.inf
2002-09-09 19:11 6,130 ----a-w C:\Program Files\Oj71Inst.inf
2001-02-17 08:12 22,048 ----a-w C:\Program Files\cocpyinf.dll
2004-08-04 16:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_12.44.26.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-08 01:01:06 66,048 ----a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2007-08-13 22:52:06 66,048 ----a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2006-10-26 23:49:48 1,011,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSDAIPP.DLL
+ 2006-10-26 23:49:46 970,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSONSEXT.DLL
+ 2006-10-27 19:00:12 1,751,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACECORE.DLL
+ 2006-10-27 19:00:10 576,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEDAO.DLL
+ 2006-10-27 19:00:06 47,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEERR.DLL
+ 2006-10-27 19:00:08 191,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEES.DLL
+ 2006-10-27 00:13:34 338,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEEXCH.DLL
+ 2006-10-27 00:13:44 629,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEEXCL.DLL
+ 2006-10-27 00:13:28 207,736 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACELTS.DLL
+ 2006-10-27 00:13:32 279,352 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEODBC.DLL
+ 2006-10-27 00:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEODDBS.DLL
+ 2006-10-27 00:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEODEXL.DLL
+ 2006-10-27 00:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEODPDX.DLL
+ 2006-10-27 00:13:12 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEODTXT.DLL
+ 2006-10-27 19:00:06 387,960 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEOLEDB.DLL
+ 2006-10-27 00:13:38 392,048 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEPDE.DLL
+ 2006-10-27 00:13:30 260,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACER2X.DLL
+ 2006-10-27 00:13:32 289,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACER3X.DLL
+ 2006-10-27 00:13:20 56,120 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACERCLR.DLL
+ 2006-10-27 00:13:38 551,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEREP.DLL
+ 2006-10-27 00:13:30 224,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACETXT.DLL
+ 2006-10-27 00:13:34 371,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ACEXBE.DLL
+ 2006-10-27 19:41:04 399,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\CDLMSO.DLL
+ 2006-10-26 23:59:24 205,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\CLVIEW.EXE
+ 2006-10-27 01:30:42 65,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\COLLIMP.DLL
+ 2006-10-26 23:48:14 439,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\DWDCW20.DLL
+ 2006-10-26 23:48:14 434,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\DWTRIG20.EXE
+ 2006-10-26 18:10:08 1,190,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\FM20.DLL
+ 2006-10-26 23:21:24 1,682,232 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\FPSRVUTL.DLL
+ 2006-10-27 19:09:36 983,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\FPWEC.DLL
+ 2006-10-27 00:12:52 173,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\IEAWSDC.DLL
+ 2006-10-26 23:55:10 828,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MEDCAT.DLL
+ 2006-10-26 17:58:14 117,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSCONV97.DLL
+ 2006-10-27 19:26:40 16,870,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSO.DLL
+ 2006-10-27 18:59:06 161,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSOCF.DLL
+ 2006-10-26 23:48:12 14,664 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSOCFU.DLL
+ 2006-10-27 00:12:58 428,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSODCW.DLL
+ 2006-10-27 01:13:36 26,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSOEURO.DLL
+ 2006-10-27 00:00:08 6,635,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSORES.DLL
+ 2006-10-26 17:56:36 436,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSORUN.DLL
+ 2006-10-26 17:56:40 505,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSSOAP30.DLL
+ 2006-10-26 23:55:12 832,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSTORDB.EXE
+ 2006-10-26 23:55:06 538,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\MSTORES.DLL
+ 2006-10-27 00:12:30 65,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\NAME.DLL
+ 2006-10-27 19:14:34 14,151,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OART.DLL
+ 2006-10-27 00

54 232,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\ODEPLOY.EXE
+ 2006-10-27 00:14:06 7,033,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OFFOWC.DLL
+ 2006-10-27 19:18:36 1,658,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OGL.DLL
+ 2006-10-27 00:00:08 274,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OIS.EXE
+ 2006-10-27 00:00:12 998,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OISAPP.DLL
+ 2006-10-27 00:00:10 285,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OISGRAPH.DLL
+ 2006-10-27 00:07:04 6,536,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OSETUP.DLL
+ 2006-07-26 22:53:56 459,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL
+ 2006-10-27 01:30:44 482,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\PORTCONN.DLL
+ 2006-10-27 01:13:38 38,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\REFEDIT.DLL
+ 2006-10-27 00:13:00 503,624 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\SELFCERT.EXE
+ 2006-10-27 00

58 439,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\SETUP.EXE
+ 2006-07-28 19:21:58 277,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\SSGEN.DLL
+ 2006-09-30 04:42:56 2,583,344 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\000021090E0000000000000000F01FEC\12.0.4518\VBE6.DLL
- 2008-07-16 13:01:20 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-08-04 17:57:52 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-07-23 07:01:02 20,240 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-08-04 17:56:38 20,240 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-07-23 07:01:02 217,864 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\misc.exe
+ 2008-08-04 17:56:38 217,864 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\misc.exe
- 2008-07-23 07:01:02 18,704 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-08-04 17:56:38 18,704 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-07-23 07:01:02 35,088 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-08-04 17:56:38 35,088 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-07-23 07:01:02 845,584 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-08-04 17:56:38 845,584 ----a-r C:\WINDOWS\Installer\{90120000-00E0-0000-0000-0000000FF1CE}\outicon.exe
- 2006-11-07 07:26:44 71,680 ----a-w C:\WINDOWS\SYSTEM32\admparse.dll
+ 2007-08-13 22:39:20 71,680 ----a-w C:\WINDOWS\SYSTEM32\admparse.dll
- 2008-08-04 12:04:42 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-08-04 12:04:42 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-04 12:04:42 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-07 07:26:44 71,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\admparse.dll
+ 2007-08-13 22:39:20 71,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\admparse.dll
+ 2006-09-23 17:12:50 1,022,976 ------w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
+ 2007-08-13 22:42:54 17,408 ------w C:\WINDOWS\SYSTEM32\dllcache\corpol.dll
- 2006-11-08 01:03:36 33,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\custsat.dll
+ 2007-08-13 22:54:10 33,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\custsat.dll
- 2006-10-17 15:44:36 60,416 ----a-w C:\WINDOWS\SYSTEM32\dllcache\hmmapi.dll
+ 2007-08-13 22:18:02 60,416 ----a-w C:\WINDOWS\SYSTEM32\dllcache\hmmapi.dll
- 2006-10-17 16:04:50 69,120 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
+ 2007-08-13 22:44:02 69,120 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
+ 2007-08-13 22:45:18 78,336 ------w C:\WINDOWS\SYSTEM32\dllcache\ieencode.dll
- 2006-11-08 01:03:36 191,488 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
+ 2007-08-13 22:54:10 191,488 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
- 2006-11-07 07:26:42 55,296 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iesetup.dll
+ 2007-08-13 22:39:12 55,296 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iesetup.dll
- 2006-10-17 15:57:58 36,352 ----a-w C:\WINDOWS\SYSTEM32\dllcache\imgutil.dll
+ 2007-08-13 22:36:06 36,352 ----a-w C:\WINDOWS\SYSTEM32\dllcache\imgutil.dll
- 2006-11-07 07:26:24 92,672 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
+ 2007-08-13 22:39:02 92,672 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
- 2006-10-17 16:05:10 40,960 ----a-w C:\WINDOWS\SYSTEM32\dllcache\licmgr10.dll
+ 2007-08-13 22:44:18 40,960 ----a-w C:\WINDOWS\SYSTEM32\dllcache\licmgr10.dll
- 2006-10-17 15:56:10 45,568 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshta.exe
+ 2007-08-13 22:32:30 45,568 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshta.exe
- 2006-10-17 15:28:56 48,128 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmler.dll
+ 2007-08-13 22:01:12 48,128 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmler.dll
- 2006-11-08 01:03:36 156,160 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msls31.dll
+ 2007-08-13 22:54:10 156,160 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msls31.dll
+ 2006-09-23 17:12:50 1,497,088 ------w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
+ 2006-09-23 17:12:50 474,112 ------w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
- 2006-10-26 18:10:08 1,190,688 ----a-w C:\WINDOWS\SYSTEM32\FM20.DLL
+ 2007-08-23 05:03:38 1,195,888 ----a-w C:\WINDOWS\SYSTEM32\FM20.DLL
- 2006-11-08 01:03:36 191,488 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2007-08-13 22:54:10 191,488 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2006-11-07 07:26:42 55,296 ----a-w C:\WINDOWS\SYSTEM32\iesetup.dll
+ 2007-08-13 22:39:12 55,296 ----a-w C:\WINDOWS\SYSTEM32\iesetup.dll
- 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2007-08-13 22:39:10 13,312 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
- 2006-11-08 01:03:36 180,736 ------w C:\WINDOWS\SYSTEM32\ieui.dll
+ 2007-08-13 22:54:10 180,736 ----a-w C:\WINDOWS\SYSTEM32\ieui.dll
- 2006-10-17 15:57:58 36,352 ----a-w C:\WINDOWS\SYSTEM32\imgutil.dll
+ 2007-08-13 22:36:06 36,352 ----a-w C:\WINDOWS\SYSTEM32\imgutil.dll
- 2006-11-07 07:26:24 92,672 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2007-08-13 22:39:02 92,672 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2006-10-17 16:05:10 40,960 ----a-w C:\WINDOWS\SYSTEM32\licmgr10.dll
+ 2007-08-13 22:44:18 40,960 ----a-w C:\WINDOWS\SYSTEM32\licmgr10.dll
- 2006-10-17 15:58:32 12,288 ------w C:\WINDOWS\SYSTEM32\msfeedssync.exe
+ 2007-08-13 22:36:40 12,288 ----a-w C:\WINDOWS\SYSTEM32\msfeedssync.exe
- 2006-10-17 15:56:10 45,568 ----a-w C:\WINDOWS\SYSTEM32\mshta.exe
+ 2007-08-13 22:32:30 45,568 ----a-w C:\WINDOWS\SYSTEM32\mshta.exe
- 2006-10-17 15:28:56 48,128 ----a-w C:\WINDOWS\SYSTEM32\mshtmler.dll
+ 2007-08-13 22:01:12 48,128 ----a-w C:\WINDOWS\SYSTEM32\mshtmler.dll
- 2006-11-08 01:03:36 156,160 ----a-w C:\WINDOWS\SYSTEM32\msls31.dll
+ 2007-08-13 22:54:10 156,160 ----a-w C:\WINDOWS\SYSTEM32\msls31.dll
- 2006-10-17 16:05:58 206,336 ------w C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
+ 2007-08-13 22:45:16 206,336 ----a-w C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-04-21 08:40:28 256000]
PowerReg Scheduler V3.exe [2005-07-21 07:20:00 225280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL sqwrpw.dll vhthho.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
--a------ 2007-11-30 05:42 1164576 C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
--a------ 2007-08-24 17:57 36640 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--------- 2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S0 Winms30;Winms30;C:\WINDOWS\system32\Drivers\Winms30.sys []
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-28 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-04 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-375113a0 - C:\WINDOWS\system32\htcgsogy.dll
MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 16:53:31
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\MCAFEE\MSC\MCMSCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRAM FILES\MCAFEE\MPF\MPFSRV.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\SITEADVISOR\6261\SASERVICE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-04 16:57:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-04 20:56:50
ComboFix2.txt 2008-08-04 16:45:40

Pre-Run: 16,234,905,600 bytes free
Post-Run: 16,280,944,640 bytes free

439 --- E O F --- 2008-08-04 17:58:07

========

Monday, August 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 16:07:43
Records in database: 1053458

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 70885
Threat name 11
Infected objects 79
Suspicious objects 0
Duration of the scan 03:21:18

File name Threat name Threats count
C:\WINDOWS\CouponBarIE.dll Infected: not-a-virus:AdWare.Win32.Mostofate.cg 1

C:\Documents and Settings\Scott\Desktop\SDFix.exe Infected: Backdoor.Win32.Hupigon.dckd 1

C:\Documents and Settings\Scott\Desktop\[4]-Submit_2008-08-04@16.47.zip Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 4

C:\Documents and Settings\Scott\Desktop\[4]-Submit_2008-08-04@16.47.zip Infected: Trojan.Win32.Monder.cet 1

C:\Documents and Settings\Scott\Desktop\[4]-Submit_2008-08-04@16.47.zip Infected: Trojan.Win32.Monder.bvp 2

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0279546.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0279560.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0279614.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0279649.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0279663.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0279674.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0280674.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0280688.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0280709.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1075\A0280720.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1076\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1076\A0280780.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1076\A0280792.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1076\A0280817.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1076\A0280835.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1076\A0280861.dll Infected: Trojan-Downloader.Win32.Mutant.atb 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1076\A0280865.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280881.dll Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280885.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280902.dll Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280903.DLL Infected: Trojan.Win32.Monder.bvn 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280907.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280922.dll Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280926.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280936.dll Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280940.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280951.dll Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280952.DLL Infected: Trojan.Win32.Monder.cet 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1077\A0280956.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\A0280971.dll Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\A0280975.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\A0280989.dll Infected: Trojan-Downloader.Win32.Mutant.atp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\A0280993.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\A0281029.exe Infected: Backdoor.Win32.Hupigon.dckd 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\A0281074.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1078\A0281101.exe Infected: Backdoor.Win32.Hupigon.dckd 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281217.sys Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281218.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cca 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281219.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cca 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281220.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281221.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281223.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281225.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281251.exe Infected: Backdoor.Win32.Hupigon.dckd 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281252.exe Infected: Backdoor.Win32.Hupigon.dckd 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1079\A0281253.exe Infected: Backdoor.Win32.Hupigon.dckd 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1085\A0282555.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1085\A0282556.dll Infected: Trojan.Win32.Monder.cet 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1085\A0282557.dll Infected: Trojan.Win32.Monder.bvp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1085\A0282559.dll Infected: Trojan.Win32.Monder.bvp 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1085\A0282560.DLL Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1085\A0282561.DLL Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\System Volume Information\_restore{8B02837B-B342-4930-A922-F2D4E8388B90}\RP1085\A0282562.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\SDFix\apps\swsc.exe Infected: Backdoor.Win32.Hupigon.dckd 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Winvc30.sys.vir Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cejxqx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cca 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\eauwwlpr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cca 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kbsozf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kjhvgw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qvovknxx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uaaoimxb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aefyhhdx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ahljsrbk.dll.vir Infected: Trojan.Win32.Monder.cet 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\eglntsuv.dll.vir Infected: Trojan.Win32.Monder.bvp 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\phqvkjwj.dll.vir Infected: Trojan.Win32.Monder.bvp 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sqwrpw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vhthho.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xfogrels.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

The selected area was scanned.

=======

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:45 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186328631921
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - AppInit_DLLs: NVDESK32.DLL sqwrpw.dll vhthho.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9370 bytes

**TheBruce1** · 08-05-2008, 04:33 AM

Hello again

Delete [4]-Submit_2008-08-04@16.47.zip from your desktop, files uploaded successfully, thank you.

Quote:

Originally Posted by summit15

I keep having windows update notify me of new downloads, but I am hesitant that it might be a trick. So I am not going to install unless you can tell me how to verify it is authentic.

Go ahead and install the updates if you wish.

Quote:

Originally Posted by summit15

For some reason, my HP 7700 printer keeps changing settings to "photo paper", "mirror printing on", and best printing. I have to manually change these back or it prints backward, (right to left)

You may need to uninstall then reinstall your printer software if the problem persists.

Quote:

Originally Posted by summit15

Why doesn't McAfee stop these virus's? I am thinking of getting Karpesky Anti-virus. What do find to be the best one out there now?

I`m afraid no vendor will stop every malicious file out there, when we have concluded i will post a couple of interesting articles on how best to protect yourself. As for for your question as to whether Kaspersky is better than Mcafee, there is no simple answer to that, i prefer Kaspersky to Mcafee for many reasons, its light and it updates hourly to name two, always try the trial version first before purchasing the product.

===========

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O15 - Trusted Zone: http://*.mcafee.com
O20 - AppInit_DLLs: NVDESK32.DLL sqwrpw.dll vhthho.dll
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Please remember to close all other windows, including browsers then click Fix checked.

=========

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Folder::
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Symantec Temporary Files
C:\Program Files\Common Files\Symantec Shared
Driver::
symlcsvc
File::
C:\WINDOWS\CouponBarIE.dll

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=========
Logs Required
C:\Combofix.txt
Hijackthis Log

Note: Do NOT attach your logs, just copy/paste them into your reply

summit15 · 08-05-2008, 06:07 AM

Hi,

I went through and followed your instructions exactly. I will paste the combofix log and highjackthis log below.

Thanks again for your help, I look forward to the articles on computer protection. I think I will be using Karpesky after this.

ComboFix 08-08-03.05 - Scott 2008-08-05 8:40:11.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.401 [GMT -4:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\CFscript (3).txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 08:04 . 2008-08-05 08:04 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-04 17:07 . 2008-08-04 17:07 <DIR> d-------- C:\WINDOWS\Sun
2008-08-04 17:06 . 2008-08-04 17:06 <DIR> d-------- C:\Program Files\Java
2008-08-04 17:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-08-04 17:05 . 2008-08-04 17:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-04 13:33 . 2008-08-04 13:33 <DIR> d--hs---- C:\FOUND.029
2008-08-04 11:25 . 2008-08-04 11:26 578,560 --a------ C:\WINDOWS\SYSTEM32\dllcache\user32.dll
2008-08-04 11:18 . 2008-08-04 11:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-04 11:12 . 2008-08-04 11:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-04 10:50 . 2008-08-03 04:12 <DIR> d-------- C:\SDFix
2008-07-31 17:01 . 2008-07-31 17:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-31 16:57 . 2008-07-31 16:57 <DIR> d-------- C:\Deckard
2008-07-31 14:13 . 2008-07-31 14:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-31 14:12 . 2008-07-31 14:13 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe
2008-07-31 09:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-31 09:23 . 2008-07-31 09:23 <DIR> d-------- C:\Program Files\Panda Security
2008-07-30 22:47 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-07-30 22:47 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-07-30 22:47 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-07-30 22:47 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\PC Tools
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-29 16:11 . 2008-07-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-29 16:00 . 2008-07-29 16:00 <DIR> d-------- C:\WINDOWS\EHome
2008-07-29 15:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml6.dll
2008-07-29 15:55 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-07-29 15:55 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-07-29 15:55 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-07-29 15:55 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-07-29 15:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-07-29 15:55 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-07-29 15:55 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-07-29 15:53 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll
2008-07-29 15:52 . 2004-08-03 22:41 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2008-07-29 15:11 . 2008-07-29 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-07-29 15:08 . 2008-07-29 15:08 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Citrix
2008-07-29 14:57 . 2008-07-29 14:57 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\McAfee
2008-07-28 08:17 . 2008-07-28 08:17 <DIR> d-------- C:\Program Files\RegCure
2008-07-27 23:05 . 2008-07-27 23:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-27 23:05 . 2008-08-05 08:02 4,527 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-27 23:04 . 2006-03-03 08:07 143,360 --------- C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-07-27 23:02 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-07-27 23:02 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-07-27 23:02 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-07-27 23:02 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-07-27 23:02 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-27 23:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-07-27 22:54 . 2008-07-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 20:39 . 2008-07-24 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-24 19:27 . 2008-07-24 19:27 860,840 --a------ C:\Program Files\Support-LogMeInRescue.exe
2008-07-24 19:11 . 2008-07-24 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\N360_BACKUP
2008-07-20 13:00 . 2008-07-20 13:00 <DIR> d--hs---- C:\FOUND.028
2008-07-18 10:00 . 2008-07-18 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-18 09:28 . 2008-07-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-07-16 09:24 . 2008-07-16 09:24 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search
2008-07-16 09:23 . 2008-07-16 09:23 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-07-16 08:55 . 2008-07-16 08:55 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-16 08:54 . 2008-07-16 08:54 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-16 08:50 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help
2008-07-16 08:49 . 2008-07-16 08:49 <DIR> dr-h----- C:\MSOCache
2008-07-16 08:49 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 08:24 . 2008-07-16 08:24 214,297,118 --a------ C:\Program Files\Outlook_2007_EN.zip
2008-07-09 03:00 . 2008-07-09 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Roxio
2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-08 20:25 . 2008-07-08 20:25 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop
2008-07-08 20:20 . 2008-07-08 20:20 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion
2008-07-08 20:20 . 2008-07-21 17:34 256 --a------ C:\WINDOWS\SYSTEM32\pool.bin
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-08 19:54 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Common Files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 20:40 48,248 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
2008-07-29 19:08 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe
2008-07-16 22:32 10,946,560 ----a-w C:\Program Files\XPSEP XP and Server 2003 64 bit.msi
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-02-27 01:55 5,910,715 ----a-w C:\Program Files\Audit_Support_Center.exe
2007-08-05 17:09 18,568,192 ----a-w C:\Program Files\yie7setup_tb7_news.exe
2007-07-06 16:18 138,197 ----a-w C:\Program Files\ConfirmationLetter.pdf
2007-02-27 21:27 22,976,688 ----a-w C:\Program Files\stamps.exe
2006-04-08 16:32 1,515,898 ----a-w C:\Program Files\LOM.exe
2005-04-03 16:27 271 --sh--w C:\Program Files\desktop.ini
2005-04-03 16:27 23,357 ---h--w C:\Program Files\folder.htt
2003-08-20 22:40 289 ----a-w C:\Program Files\readme.html
2003-07-30 19:06 8,944 ----a-w C:\Program Files\Oj71WinXP.cat
2003-07-30 19:06 36,926 ----a-w C:\Program Files\oj71inst.cat
2003-06-25 06:43 16,384 ----a-w C:\Program Files\hpo9xmig.exe
2003-06-25 04:41 9,078 ----a-w C:\Program Files\Oj71WinXP.inf
2002-09-09 19:11 6,130 ----a-w C:\Program Files\Oj71Inst.inf
2001-02-17 08:12 22,048 ----a-w C:\Program Files\cocpyinf.dll
2004-08-04 16:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-08-04_16.56.03.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-03 12:07:02 143,360 ----a-w C:\WINDOWS\LastGood\system32\dunzip32.dll
+ 2008-04-14 00:12:04 23,040 ----a-w C:\WINDOWS\LastGood\system32\psapi.dll
- 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-13 22:39:10 13,312 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe
+ 2008-06-10 05:21:02 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-04-21 08:40:28 256000]
PowerReg Scheduler V3.exe [2005-07-21 07:20:00 225280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
--a------ 2007-11-30 05:42 1164576 C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
--a------ 2007-08-24 17:57 36640 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--------- 2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S0 Winms30;Winms30;C:\WINDOWS\system32\Drivers\Winms30.sys []
S2 0246901217938120mcinstcleanup;McAfee Application Installer Cleanup (0246901217938120);C:\WINDOWS\TEMP\024690~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-28 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-05 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 08:43:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-08-05 8:44:46
ComboFix-quarantined-files.txt 2008-08-05 12:44:34
ComboFix3.txt 2008-08-04 16:45:40
ComboFix2.txt 2008-08-04 20:57:08

Pre-Run: 15,782,903,808 bytes free
Post-Run: 15,885,516,800 bytes free

294 --- E O F --- 2008-08-05 12:05:56

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:16 AM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186328631921
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: McAfee Application Installer Cleanup (0246901217938120) (0246901217938120mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024690~1.EXE (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 9072 bytes

**TheBruce1** · 08-05-2008, 06:13 AM

Hello,

Delete SDFix from your desktop, also delete this folder C:\SDFix.

You can keep ATF-Cleaner if you wish.

=========

Well done, your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

========

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.

Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Ad-Aware
Spybot S&D
Download SpywareBlaster 4.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Download Spyware Guard to catch and block spyware before it can execute.

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.

summit15 · 08-05-2008, 08:57 AM

Thanks very much for the help.

I have performed the updates you listed.

A couple quick questions on protection.

I have spywareblaster 4.1, do I also need spyware guard?

If I load all the suggestions (mvps hosts, winpatrol, snoopfree, spywareblaster plus my McAfee), will this severly slow my computer down?

Thank you

**TheBruce1** · 08-05-2008, 09:08 AM

Quote:

Originally Posted by summit15

I have spywareblaster 4.1, do I also need spyware guard?

Nope.

Quote:

Originally Posted by summit15

mvps hosts, winpatrol, snoopfree, spywareblaster

I have all these on my system and i had no problems(using Kaspersky), it should not cause any problems with Mcafee.

Quote:

Originally Posted by summit15

Thank you

Your welcome, good luck and safe surfing

08-03-2008, 09:39 AM	#2 (permalink)
summit15 Registered User Join Date: Jul 2008 Posts: 7 OS: Windows XP home	Re: Pop ups on I.E. Backdoor Trojan, help please deckards included bump, please help!!!

08-04-2008, 05:34 AM	#3 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,490 OS: XP	Re: Pop ups on I.E. Backdoor Trojan, help please deckards included Hello and welcome to TSF Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please Do Not Attach logs to your posts unless you are advised to do so. ======== Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. ========= Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with all the required logs ========== Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. =========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. =========== Logs Required Report.txt C:\Combofix.txt Hijackthis Log __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

08-05-2008, 06:07 AM	#8 (permalink)
summit15 Registered User Join Date: Jul 2008 Posts: 7 OS: Windows XP home	Re: Pop ups on I.E. Backdoor Trojan, help please deckards included Hi, I went through and followed your instructions exactly. I will paste the combofix log and highjackthis log below. Thanks again for your help, I look forward to the articles on computer protection. I think I will be using Karpesky after this. ComboFix 08-08-03.05 - Scott 2008-08-05 8:40:11.3 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.401 [GMT -4:00] Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Scott\Desktop\CFscript (3).txt * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 ))))))))))))))))))))))))))))))) . 2008-08-05 08:04 . 2008-08-05 08:04 <DIR> d-------- C:\WINDOWS\LastGood 2008-08-04 17:07 . 2008-08-04 17:07 <DIR> d-------- C:\WINDOWS\Sun 2008-08-04 17:06 . 2008-08-04 17:06 <DIR> d-------- C:\Program Files\Java 2008-08-04 17:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-08-04 17:05 . 2008-08-04 17:05 <DIR> d-------- C:\Program Files\Common Files\Java 2008-08-04 13:33 . 2008-08-04 13:33 <DIR> d--hs---- C:\FOUND.029 2008-08-04 11:25 . 2008-08-04 11:26 578,560 --a------ C:\WINDOWS\SYSTEM32\dllcache\user32.dll 2008-08-04 11:18 . 2008-08-04 11:18 <DIR> d-------- C:\WINDOWS\ERUNT 2008-08-04 11:12 . 2008-08-04 11:12 <DIR> d-------- C:\Documents and Settings\Administrator 2008-08-04 10:50 . 2008-08-03 04:12 <DIR> d-------- C:\SDFix 2008-07-31 17:01 . 2008-07-31 17:01 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-31 16:57 . 2008-07-31 16:57 <DIR> d-------- C:\Deckard 2008-07-31 14:13 . 2008-07-31 14:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-07-31 14:12 . 2008-07-31 14:13 2,869,536 --a------ C:\Program Files\spywareblastersetup41.exe 2008-07-31 09:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-07-31 09:23 . 2008-07-31 09:23 <DIR> d-------- C:\Program Files\Panda Security 2008-07-30 22:47 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys 2008-07-30 22:47 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys 2008-07-30 22:47 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys 2008-07-30 22:47 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys 2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-07-30 22:46 . 2008-07-30 22:46 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\PC Tools 2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-30 20:00 . 2008-07-30 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\en 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits 2008-07-29 16:14 . 2008-07-29 16:14 <DIR> d-------- C:\WINDOWS\l2schemas 2008-07-29 16:11 . 2008-07-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-07-29 16:00 . 2008-07-29 16:00 <DIR> d-------- C:\WINDOWS\EHome 2008-07-29 15:55 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml6.dll 2008-07-29 15:55 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll 2008-07-29 15:55 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll 2008-07-29 15:55 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll 2008-07-29 15:55 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll 2008-07-29 15:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll 2008-07-29 15:55 . 2008-04-13 20:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll 2008-07-29 15:55 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll 2008-07-29 15:53 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\SYSTEM32\ati3duag.dll 2008-07-29 15:52 . 2004-08-03 22:41 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys 2008-07-29 15:11 . 2008-07-29 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix 2008-07-29 15:08 . 2008-07-29 15:08 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Citrix 2008-07-29 14:57 . 2008-07-29 14:57 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\McAfee 2008-07-28 08:17 . 2008-07-28 08:17 <DIR> d-------- C:\Program Files\RegCure 2008-07-27 23:05 . 2008-07-27 23:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-07-27 23:05 . 2008-08-05 08:02 4,527 --a------ C:\WINDOWS\SYSTEM32\Config.MPF 2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Program Files\SiteAdvisor 2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\SiteAdvisor 2008-07-27 23:04 . 2008-07-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-07-27 23:04 . 2006-03-03 08:07 143,360 --------- C:\WINDOWS\SYSTEM32\dunzip32.dll 2008-07-27 23:02 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys 2008-07-27 23:02 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys 2008-07-27 23:02 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys 2008-07-27 23:02 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys 2008-07-27 23:02 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys 2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee.com 2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\McAfee 2008-07-27 23:01 . 2008-07-27 23:01 <DIR> d-------- C:\Program Files\Common Files\McAfee 2008-07-27 23:01 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys 2008-07-27 22:54 . 2008-07-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-07-24 20:39 . 2008-07-24 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-07-24 19:27 . 2008-07-24 19:27 860,840 --a------ C:\Program Files\Support-LogMeInRescue.exe 2008-07-24 19:11 . 2008-07-24 19:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\N360_BACKUP 2008-07-20 13:00 . 2008-07-20 13:00 <DIR> d--hs---- C:\FOUND.028 2008-07-18 10:00 . 2008-07-18 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2008-07-18 09:28 . 2008-07-18 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files 2008-07-16 09:24 . 2008-07-16 09:24 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Windows Desktop Search 2008-07-16 09:23 . 2008-07-16 09:23 <DIR> d-------- C:\Program Files\Windows Desktop Search 2008-07-16 08:55 . 2008-07-16 08:55 <DIR> d-------- C:\Program Files\Microsoft Works 2008-07-16 08:54 . 2008-07-16 08:54 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-07-16 08:50 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Microsoft Help 2008-07-16 08:49 . 2008-07-16 08:49 <DIR> dr-h----- C:\MSOCache 2008-07-16 08:49 . 2008-07-16 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-07-16 08:24 . 2008-07-16 08:24 214,297,118 --a------ C:\Program Files\Outlook_2007_EN.zip 2008-07-09 03:00 . 2008-07-09 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Roxio 2008-07-08 20:30 . 2008-07-08 20:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio 2008-07-08 20:25 . 2008-07-08 20:25 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Blackberry Desktop 2008-07-08 20:20 . 2008-07-08 20:20 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Research In Motion 2008-07-08 20:20 . 2008-07-21 17:34 256 --a------ C:\WINDOWS\SYSTEM32\pool.bin 2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic 2008-07-08 20:14 . 2008-07-08 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield 2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared 2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared 2008-07-08 20:09 . 2008-07-08 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio 2008-07-08 19:54 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\RimSerial.sys 2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Research In Motion 2008-07-08 19:52 . 2008-07-08 19:52 <DIR> d-------- C:\Program Files\Common Files\Research In Motion . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-29 20:40 48,248 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT 2008-07-29 19:08 61,224 ----a-w C:\WINDOWS\JAVA\GoToAssistDownloadHelper.exe 2008-07-16 22:32 10,946,560 ----a-w C:\Program Files\XPSEP XP and Server 2003 64 bit.msi 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys 2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\wshext.dll 2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\dllcache\wshext.dll 2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll 2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll 2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\dllcache\vbscript.dll 2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\scrobj.dll 2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\dllcache\scrobj.dll 2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\scrrun.dll 2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\dllcache\scrrun.dll 2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys 2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\wscript.exe 2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\dllcache\wscript.exe 2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\dllcache\cscript.exe 2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\cscript.exe 2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\quartz.dll 2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll 2008-02-27 01:55 5,910,715 ----a-w C:\Program Files\Audit_Support_Center.exe 2007-08-05 17:09 18,568,192 ----a-w C:\Program Files\yie7setup_tb7_news.exe 2007-07-06 16:18 138,197 ----a-w C:\Program Files\ConfirmationLetter.pdf 2007-02-27 21:27 22,976,688 ----a-w C:\Program Files\stamps.exe 2006-04-08 16:32 1,515,898 ----a-w C:\Program Files\LOM.exe 2005-04-03 16:27 271 --sh--w C:\Program Files\desktop.ini 2005-04-03 16:27 23,357 ---h--w C:\Program Files\folder.htt 2003-08-20 22:40 289 ----a-w C:\Program Files\readme.html 2003-07-30 19:06 8,944 ----a-w C:\Program Files\Oj71WinXP.cat 2003-07-30 19:06 36,926 ----a-w C:\Program Files\oj71inst.cat 2003-06-25 06:43 16,384 ----a-w C:\Program Files\hpo9xmig.exe 2003-06-25 04:41 9,078 ----a-w C:\Program Files\Oj71WinXP.inf 2002-09-09 19:11 6,130 ----a-w C:\Program Files\Oj71Inst.inf 2001-02-17 08:12 22,048 ----a-w C:\Program Files\cocpyinf.dll 2004-08-04 16:00 94,784 --sh--w C:\WINDOWS\twain.dll 2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll . ((((((((((((((((((((((((((((( snapshot_2008-08-04_16.56.03.98 ))))))))))))))))))))))))))))))))))))))))) . + 2006-03-03 12:07:02 143,360 ----a-w C:\WINDOWS\LastGood\system32\dunzip32.dll + 2008-04-14 00:12:04 23,040 ----a-w C:\WINDOWS\LastGood\system32\psapi.dll - 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat + 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat - 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-04 17:03:56 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-08-05 12:08:32 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2007-08-13 22:39:10 13,312 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe + 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\SYSTEM32\ieudinit.exe + 2008-06-10 05:21:02 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe + 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe + 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] C:\Documents and Settings\Scott\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2005-04-21 08:40:28 256000] PowerReg Scheduler V3.exe [2005-07-21 07:20:00 225280] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39 294400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv41"= ir41_32.dll "aux"= ctwdm32.dll "VIDC.VDOM"= vdowave.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms30.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] NvQTwk [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 20:12 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] --a------ 2007-11-01 19:12 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI] --a------ 2007-11-30 05:42 1164576 C:\PROGRA~1\McAfee\MHN\McENUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2005-03-29 18:28 6815744 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor] --a------ 2007-08-24 17:57 36640 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray] --------- 2004-08-04 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\Messenger\\MSMSGS.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] S0 Winms30;Winms30;C:\WINDOWS\system32\Drivers\Winms30.sys [] S2 0246901217938120mcinstcleanup;McAfee Application Installer Cleanup (0246901217938120);C:\WINDOWS\TEMP\024690~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [] S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-07-28 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-07-28 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-07-31 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21] 2008-08-05 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-lanmanwrk - C:\WINDOWS\System32\lanmanwrk.exe ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-05 08:43:26 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . Completion time: 2008-08-05 8:44:46 ComboFix-quarantined-files.txt 2008-08-05 12:44:34 ComboFix3.txt 2008-08-04 16:45:40 ComboFix2.txt 2008-08-04 20:57:08 Pre-Run: 15,782,903,808 bytes free Post-Run: 15,885,516,800 bytes free 294 --- E O F --- 2008-08-05 12:05:56 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:59:16 AM, on 8/5/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\mcafee\msc\mcupdui.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: PowerReg Scheduler.exe O4 - Startup: PowerReg Scheduler V3.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186328631921 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 O23 - Service: McAfee Application Installer Cleanup (0246901217938120) (0246901217938120mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\024690~1.EXE (file missing) O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe -- End of file - 9072 bytes

08-05-2008, 06:13 AM	#9 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,490 OS: XP	Re: Pop ups on I.E. Backdoor Trojan, help please deckards included Hello, Delete SDFix from your desktop, also delete this folder C:\SDFix. You can keep ATF-Cleaner if you wish. ========= Well done, your logs are clean. Click start>run>type(or copy/paste command into run box): ComboFix /u Click ok. ======== Clear IE7 cookies On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. Click OK, and then click OK again. Clear Firefox cookies/cache* • Select "Tools" • Select "Options". • Select "Privacy". • In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want. • Click OK. • In Private area click "Clear Now". ------------------------------------------------------------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Avant Firefox Opera K-Meleon ------------------------------------------------------------------------------------------ Free Antispyware Products SuperAntiSpyware Ad-Aware Spybot S&D Download SpywareBlaster 4.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Download Spyware Guard to catch and block spyware before it can execute. ------------------------------------------------------------------ IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List. Download and installation instructions for IE-Spyad™ Here ----------------------------------------- The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. If your having trouble downloading & extracting,see link below for guidance: http://www.mvps.org/winhelp2002/hosts2.htm Once you have extracted the host file,double click on it and a new window will open. Double-click on mvps.batand follow the prompts --------------------------------------------------------------- Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ---------------------------------------- SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. ============================================== Also, please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more, as we may mark this as resolved, thanks. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating**

08-05-2008, 08:57 AM	#10 (permalink)
summit15 Registered User Join Date: Jul 2008 Posts: 7 OS: Windows XP home	Re: Pop ups on I.E. Backdoor Trojan, help please deckards included Thanks very much for the help. I have performed the updates you listed. A couple quick questions on protection. I have spywareblaster 4.1, do I also need spyware guard? If I load all the suggestions (mvps hosts, winpatrol, snoopfree, spywareblaster plus my McAfee), will this severly slow my computer down? Thank you