Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Continuously getting a phishing attack
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-17-2008, 08:00 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 54
OS: Vista


Continuously getting a phishing attack
I fell victim to the oldest trick inthe book. I fell victim to PICS FOR MSN FRIENDS Phishing. Dont know what I was thinking, but anyway, now I continuously am getting a notification from Kaspersky that a URL, which does not display, is attempting a phishing attack. I have changed my password etc with windows live messenger.

I could not get the panda active scan to proceed, however Kaspersky has not found anything on my system.

Below is the HJT log. Please let me know if you see anything unusual.

Thanks




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:03 PM, on 8/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5656
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5656
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5656
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7374 bytes

update, finally got panda active to work.




;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-19 03:20:22
PROTECTIONS: 2
MALWARE: 1
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.3807.0 No Yes
Kaspersky Internet Security 7.0 7.0.0.125 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\owner\AppData\Roaming\Microsoft\Windows\Cookies\owner@atdmt[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location f�P���� s5
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description f�P���� s5
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Last edited by amateur; 08-19-2008 at 02:38 AM. Reason: to retain 0-reply status
Skuddbuster is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-21-2008, 11:07 PM   #2 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 54
OS: Vista


Re: Continuously getting a phishing attack
Bump. Thanks
Skuddbuster is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-22-2008, 05:34 AM   #3 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Continuously getting a phishing attack
Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present.

Please DO NOT Attach logs to your posts unless you are advised to do so.


========

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

========

Please download MsnCleaner.zip and Save it to your Desktop.
  • Unzip it to the Desktop.
  • Now reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit Enter.
  • Double-click MsnCleaner.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post along with a new HJT log.

=========

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

==========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

==========

Click Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

=========
Logs Required
C:\MsnCleaner.txt
C:\Combofix.txt
Hijackthis Log
C:\Qoobox\Add-Remove Programs.txt
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-23-2008, 11:14 AM   #4 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 54
OS: Vista


Re: Continuously getting a phishing attack
As requested.


- Logfile MSNCleaner 1.7.0 by www.forospyware.com
- Created Logfile: 8/23/2008 on 12:21:14 PM
- Operative System: Windows Vista
- Boot mode: Safe mode
_________________________________________

Detected files: 0
Deleted file: 0
Undeleted Files: 0

<<<<<<< No file found >>>>>>>






ComboFix 08-08-21.02 - owner 2008-08-23 12:42:32.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2225 [GMT -4:00]
Running from: C:\Users\owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\owner\AUTORUN.INF
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 12:20 . 2008-08-23 12:24 <DIR> d-------- C:\MSNCleaner
2008-08-23 00:39 . 2008-08-23 00:39 <DIR> d-------- C:\Program Files\Hamachi
2008-08-23 00:39 . 2008-08-23 00:39 25,280 --a------ C:\WINDOWS\System32\drivers\hamachi.sys
2008-08-22 22:18 . 2008-08-22 22:18 107,888 --a------ C:\WINDOWS\System32\CmdLineExt.dll
2008-08-22 22:04 . 2008-08-23 02:25 <DIR> d-------- C:\Users\owner\AppData\Roaming\Hamachi
2008-08-22 21:15 . 2008-08-22 21:15 <DIR> dr-h----- C:\Users\owner\AppData\Roaming\SecuROM
2008-08-22 21:15 . 2008-08-22 21:15 <DIR> d-------- C:\Users\All Users\Media Center Programs
2008-08-22 21:15 . 2008-08-22 21:15 <DIR> d-------- C:\ProgramData\Media Center Programs
2008-08-22 21:10 . 2008-08-22 21:10 <DIR> d-------- C:\Program Files\Sierra Entertainment
2008-08-22 21:09 . 2008-08-22 21:09 <DIR> d-------- C:\Users\owner\AppData\Roaming\InstallShield
2008-08-22 17:56 . 2008-08-22 17:56 <DIR> d-------- C:\Users\All Users\ATI
2008-08-22 17:56 . 2008-08-22 17:56 <DIR> d-------- C:\ProgramData\ATI
2008-08-22 00:28 . 2008-08-22 00:28 <DIR> d-------- C:\Users\All Users\Yahoo!
2008-08-22 00:28 . 2008-08-22 00:28 <DIR> d-------- C:\ProgramData\Yahoo!
2008-08-22 00:25 . 2008-08-22 00:25 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-19 22:48 . 2008-08-19 22:48 <DIR> d-------- C:\Users\owner\Banned by me
2008-08-19 16:26 . 2008-08-22 01:01 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-19 16:26 . 2008-08-22 01:01 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-19 16:26 . 2008-08-19 16:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-19 15:25 . 2008-08-19 15:25 <DIR> d-------- C:\Program Files\AVG
2008-08-19 02:23 . 2008-08-19 02:23 <DIR> d-------- C:\Program Files\Panda Security
2008-08-19 02:23 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\System32\drivers\pavboot.sys
2008-08-18 23:22 . 2008-08-19 23:03 <DIR> d-------- C:\Users\owner\cc
2008-08-18 18:34 . 2008-07-19 01:09 1,811,656 --a------ C:\WINDOWS\System32\wuaueng.dll
2008-08-18 18:34 . 2008-07-18 23:44 1,524,736 --a------ C:\WINDOWS\System32\wucltux.dll
2008-08-18 18:34 . 2008-07-19 01:10 53,448 --a------ C:\WINDOWS\System32\wuauclt.exe
2008-08-18 18:34 . 2008-07-19 01:10 45,768 --a------ C:\WINDOWS\System32\wups2.dll
2008-08-18 18:33 . 2008-07-19 01:09 563,912 --a------ C:\WINDOWS\System32\wuapi.dll
2008-08-18 18:33 . 2008-07-18 22:08 163,904 --a------ C:\WINDOWS\System32\wuwebv.dll
2008-08-18 18:33 . 2008-07-18 23:44 83,456 --a------ C:\WINDOWS\System32\wudriver.dll
2008-08-18 18:33 . 2008-07-19 01:10 36,552 --a------ C:\WINDOWS\System32\wups.dll
2008-08-18 18:33 . 2008-07-18 20:44 31,232 --a------ C:\WINDOWS\System32\wuapp.exe
2008-08-18 16:02 . 2008-08-18 16:05 <DIR> d-------- C:\Program Files\Windows Live(6)
2008-08-17 21:56 . 2008-08-17 21:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 21:25 . 2008-08-17 21:26 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-08-17 21:25 . 2008-08-17 21:26 <DIR> d-------- C:\ProgramData\Lavasoft
2008-08-17 21:25 . 2008-08-17 21:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-15 02:01 . 2008-08-22 22:48 <DIR> d-------- C:\Users\owner\AppData\Roaming\Xfire
2008-08-15 02:01 . 2008-08-22 19:38 <DIR> d-------- C:\Users\All Users\Xfire
2008-08-15 02:01 . 2008-08-22 19:38 <DIR> d-------- C:\ProgramData\Xfire
2008-08-15 02:01 . 2008-08-15 02:01 <DIR> d-------- C:\Program Files\Xfire
2008-08-13 17:22 . 2008-07-15 21:32 2,048 --a------ C:\WINDOWS\System32\tzres.dll
2008-08-13 17:17 . 2008-06-26 21:55 1,383,424 --a------ C:\WINDOWS\System32\mshtml.tlb
2008-08-13 17:17 . 2008-06-27 00:15 827,392 --a------ C:\WINDOWS\System32\wininet.dll
2008-08-13 17:17 . 2008-06-18 23:31 361,984 --a------ C:\WINDOWS\System32\IPSECSVC.DLL
2008-08-13 17:17 . 2008-04-18 01:48 269,312 --a------ C:\WINDOWS\System32\es.dll
2008-08-13 17:16 . 2008-04-10 01:12 738,304 --a------ C:\WINDOWS\System32\inetcomm.dll
2008-08-12 21:11 . 2008-08-22 18:34 <DIR> d-a------ C:\Users\All Users\TEMP
2008-08-12 21:11 . 2008-08-22 18:34 <DIR> d-a------ C:\ProgramData\TEMP
2008-08-12 21:11 . 2008-08-19 22:43 <DIR> d-------- C:\Fraps
2008-08-12 18:07 . 2008-08-12 18:07 42,320 --a------ C:\WINDOWS\System32\xfcodec.dll
2008-08-11 21:20 . 2008-08-11 21:20 <DIR> d-------- C:\Program Files\PingPlotter Standard
2008-08-07 17:10 . 2008-08-07 17:10 <DIR> d-------- C:\Program Files\Astyle CSS editor
2008-08-07 02:36 . 2008-08-07 02:40 <DIR> d-------- C:\Users\owner\FTP Home
2008-08-06 16:33 . 2008-08-06 16:33 0 --ah----- C:\WINDOWS\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-31 02:14 . 2008-07-31 02:15 <DIR> d-------- C:\Users\owner\Mods for PHPBB
2008-07-31 01:23 . 2008-07-31 01:26 <DIR> d-------- C:\Users\owner\IGUA website Backup file
2008-07-30 19:42 . 2008-07-30 19:42 <DIR> d-------- C:\Program Files\CCleaner
2008-07-30 19:27 . 2008-07-30 21:33 <DIR> d-------- C:\Users\owner\AppData\Roaming\FileZilla
2008-07-30 19:25 . 2008-07-30 19:25 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-07-30 19:19 . 2008-07-30 19:19 <DIR> d-------- C:\Users\owner\AppData\Roaming\SmartFTP
2008-07-30 19:19 . 2008-07-30 19:19 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-07-30 19:18 . 2008-07-30 19:18 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-07-26 08:39 . 2008-07-26 08:39 <DIR> d-------- C:\WINDOWS\System32\Adobe
2008-07-24 10:53 . 2008-07-24 10:53 <DIR> d-------- C:\Users\owner\AppData\Roaming\teamspeak2
2008-07-24 10:53 . 2008-07-24 10:53 34,064 --a------ C:\WINDOWS\System32\lhacm.acm
2008-07-24 10:52 . 2008-07-24 10:53 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-07-23 20:28 . 2008-07-23 20:28 <DIR> d-------- C:\Users\All Users\Electronic Arts
2008-07-23 20:28 . 2008-07-23 20:28 <DIR> d-------- C:\ProgramData\Electronic Arts
2008-07-23 17:36 . 2008-07-23 17:36 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Videos
2008-07-23 17:36 . 2008-07-23 17:36 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Searches
2008-07-23 17:36 . 2008-07-23 17:36 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Saved Games
2008-07-23 17:36 . 2008-07-23 17:36 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Pictures
2008-07-23 17:36 . 2008-07-23 17:36 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Links
2008-07-23 17:36 . 2008-07-23 17:36 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Downloads
2008-07-23 17:36 . 2008-07-23 17:36 <DIR> dr------- C:\WINDOWS\System32\config\systemprofile\Documents
2008-07-23 17:36 . 2008-07-23 20:28 7,270 --a------ C:\WINDOWS\System32\ealregsnapshot1.reg
2008-07-23 10:21 . 2008-07-23 10:21 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-07-23 10:21 . 2008-07-23 10:21 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-07-23 10:07 . 2007-11-08 05:04 11,967,524 --a------ C:\WINDOWS\System32\korwbrkr.lex

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 16:43 29,525,024 --sha-w C:\Windows\system32\drivers\fidbox.dat
2008-08-23 16:25 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-08-23 16:19 397,064 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-08-23 03:07 137,312 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-08-23 03:06 111,928 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-08-23 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-22 21:55 --------- d-----w C:\Program Files\ATI Technologies
2008-08-18 22:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-18 22:26 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-18 22:26 --------- d-----w C:\Users\owner\AppData\Roaming\Ventrilo
2008-08-18 22:26 --------- d-----w C:\Program Files\Windows Live
2008-08-18 20:02 --------- d-----w C:\ProgramData\WLInstaller
2008-08-18 01:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-13 21:23 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-13 21:20 --------- d-----w C:\Program Files\Windows Mail
2008-08-07 16:15 96,976 ----a-w C:\Windows\system32\drivers\klin.dat
2008-08-05 22:06 --------- d-----w C:\Program Files\Electronic Arts
2008-07-24 04:24 --------- d-----w C:\Program Files\Java
2008-07-23 18:18 87,855 ----a-w C:\Windows\system32\drivers\klick.dat
2008-07-21 01:46 --------- d-----w C:\Program Files\DropBox
2008-07-13 21:52 --------- d-----w C:\Program Files\2142 Sig Generator
2008-07-12 02:43 --------- d-----w C:\ProgramData\WildTangent
2008-07-11 15:57 --------- d--h--w C:\ProgramData\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-07-11 15:57 --------- d-----w C:\Program Files\Eraser
2008-07-11 15:33 --------- d-----w C:\Program Files\Password Safe
2008-07-09 16:45 --------- d-----w C:\ProgramData\NexonUS
2008-07-09 05:10 --------- d-----w C:\Users\owner\AppData\Roaming\GlarySoft
2008-07-09 05:09 --------- d-----w C:\Program Files\Absolute Uninstaller
2008-07-07 02:07 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-07-06 18:02 22,328 ----a-w C:\Users\owner\AppData\Roaming\PnkBstrK.sys
2008-07-06 17:52 --------- d-----w C:\Program Files\Activision
2008-06-28 23:55 --------- d-----w C:\Program Files\EA GAMES
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-18 03:35 0 ----a-w C:\Users\owner\AppData\Roaming\wklnhst.dat
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-10 18:45 21,840 ----atw C:\Windows\System32\SIntfNT.dll
2008-06-10 18:45 17,212 ----atw C:\Windows\System32\SIntf32.dll
2008-06-10 18:45 12,067 ----atw C:\Windows\System32\SIntf16.dll
2008-06-03 07:35 413,696 ----a-w C:\Windows\System32\ATIDEMGX.dll
2008-06-03 07:35 327,680 ----a-w C:\Windows\System32\atipdlxx.dll
2008-06-03 07:35 159,744 ----a-w C:\Windows\System32\atitmmxx.dll
2008-06-03 07:34 43,520 ----a-w C:\Windows\System32\ati2edxx.dll
2008-06-03 07:34 266,240 ----a-w C:\Windows\System32\Ati2evxx.dll
2008-06-03 07:34 262,144 ----a-w C:\Windows\System32\Oemdspif.dll
2008-06-03 07:33 684,032 ----a-w C:\Windows\System32\Ati2evxx.exe
2008-06-03 07:25 1,563,648 ----a-w C:\Windows\System32\atidxx32.dll
2008-06-03 07:19 3,401,216 ----a-w C:\Windows\System32\atiumdag.dll
2008-06-03 07:02 4,398,080 ----a-w C:\Windows\System32\atiumdva.dll
2008-06-03 06:50 49,664 ----a-w C:\Windows\System32\amdpcom32.dll
2008-06-03 06:49 32,256 ----a-w C:\Windows\System32\atiadlxx.dll
2008-06-03 06:48 10,043,392 ----a-w C:\Windows\System32\atioglxx.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-05-14 04:37 174 --sha-w C:\Program Files\desktop.ini
2008-04-30 18:20 0 ----a-w C:\Program Files\WMHelper.log
2008-01-11 21:54 158,112 ----a-w C:\Users\owner\startzune.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 01:15 81920]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"CHotkey"="zHotkey.exe" [2006-11-07 17:08 547840 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2005-01-27 12:13 36864 C:\WINDOWS\ShowWnd.exe]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 18:51 4435968 C:\WINDOWS\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-04-13 18:36 1822720 C:\WINDOWS\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\Windows\pss\BigFix.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DropBoxUtility]
--a------ 2008-02-09 20:53 405504 C:\Program Files\DropBox\DropBox\DropBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2008-06-13 18:27 2752512 C:\Program Files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
--a------ 2007-12-22 19:03 916240 C:\Program Files\Eraser\Eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 17:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
--a------ 2007-07-13 17:56 40072 C:\WINDOWS\SMINST\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-07-06 01:15 8466432 C:\WINDOWS\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-07-06 01:15 81920 C:\WINDOWS\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2007-07-06 01:15 86016 C:\WINDOWS\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-05-27 17:58 160592 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-04-29 19:56 158624 c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModPS2]
--a------ 2006-11-07 17:34 53248 C:\WINDOWS\ModPS2Key.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2008-01-19 03:36 2153472 C:\WINDOWS\System32\oobefldr.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"="C:\Windows\system32\msconfig.exe" /auto
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
"NvSvc"=RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2116934095-64732464-646402426-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F2C2E674-07CF-4AFB-B847-C89954CE5450}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE64044A-BDED-4C78-8DA3-AFB4F78BEEFF}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{07ADA644-FF6E-490A-B2BA-1BFE0E762B79}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{4EC86CEB-B1DF-4B98-B0B2-916C9A7E07D7}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{A4E3187A-A05B-4CD5-BAEA-DFE7E1AB306C}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{55796900-DD5F-45CC-861D-348C5D8B0E69}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{51343B63-BBAF-4AE4-B894-6DABA535E453}"= UDP:C:\Program Files\Common Files\aol\1209252574\ee\aolsoftware.exe:AOL Shared Components
"{23A13B54-CD1A-42D6-ADD2-0A066CD66E64}"= TCP:C:\Program Files\Common Files\aol\1209252574\ee\aolsoftware.exe:AOL Shared Components
"{506400DA-18A5-41F6-8BE9-AD880E639FFF}"= UDP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{DFE35CB6-87B0-46CD-9902-B01BBD906953}"= TCP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{387ADF4D-D222-499F-A241-3490CAC640C0}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{2EF8379D-B934-43AD-BD4B-F44AE3BBAE79}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{1C2EAACF-1532-4C90-8F78-E40BBFC74F26}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{18FA7833-7517-4922-9EB2-C17BC4805996}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{7EA2223C-60B5-475E-B366-97A581C9AF2E}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL
"{C8B95026-14B1-4CE7-BCE5-06C94CD4299F}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL
"{3E5D217E-2DE9-4BD4-92B9-4BF6191FAA95}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{F1D930F4-5920-4FB1-BE4F-1C0D39949375}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{1DCCA758-7AC3-42AC-8FB6-A01A92B745EE}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"TCP Query User{8D0AE6AF-D575-4885-BA17-65CB44BC92EA}C:\\program files\\electronic arts\\battlefield 2142\\bf2142.exe"= UDP:C:\program files\electronic arts\battlefield 2142\bf2142.exe:BF2142
"UDP Query User{EC010EA8-D229-482A-B354-4CEE30AAE1D5}C:\\program files\\electronic arts\\battlefield 2142\\bf2142.exe"= TCP:C:\program files\electronic arts\battlefield 2142\bf2142.exe:BF2142
"TCP Query User{6AAC26D3-C842-416D-B473-95504B55BC54}C:\\program files\\ea games\\battlefield 2\\bf2.exe"= UDP:C:\program files\ea games\battlefield 2\bf2.exe:BF2
"UDP Query User{EF1016E6-84A3-45A1-ADCD-4FC8C00B8FCB}C:\\program files\\ea games\\battlefield 2\\bf2.exe"= TCP:C:\program files\ea games\battlefield 2\bf2.exe:BF2
"{C91C0AA3-76C2-4D51-BE39-D3B42D534B28}"= UDP:C:\WINDOWS\System32\PnkBstrA.exe:PnkBstrA
"{7D484E0B-E8AF-4FB8-B889-375E3D3E5512}"= TCP:C:\WINDOWS\System32\PnkBstrA.exe:PnkBstrA
"{1211962E-C7E9-4709-A8FF-A49A5D12E886}"= UDP:C:\WINDOWS\System32\PnkBstrB.exe:PnkBstrB
"{DC548B99-97F8-42CA-A5B3-0FF98DFD21BC}"= TCP:C:\WINDOWS\System32\PnkBstrB.exe:PnkBstrB
"{169CD572-89F3-41F3-84FD-41D2D6AB01A1}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{96B50DB1-44F0-4DD5-8D80-A56CF92F345C}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{7ECB3F10-CDE7-49C8-A2C4-B720BCE005AA}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{053CA435-64C0-4733-BC7B-C96C24746951}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{F1793251-B2DF-43AC-B8EB-5825FBFB2E20}"= UDP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{6AC2A811-C347-4DC5-9A4C-91602600CD2C}"= TCP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{6F71C7B8-82AA-46AF-AA06-230F6485B896}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{E57A1789-D32D-4C8F-A41A-25768AEF7384}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{BC36740B-8791-4091-BEEC-69F52D7B9628}"= UDP:C:\Program Files\DropBox\DropBox\DropBox.exe:DropBox
"{F42859E9-D0A2-4FE4-879A-5C9BD81F9CC5}"= TCP:C:\Program Files\DropBox\DropBox\DropBox.exe:DropBox
"{F52F4FF9-8027-47CC-863A-8C5358BFA839}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{7751E18F-F615-4E19-9A8F-AB0B52BF86C0}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{A53D1186-D933-4413-A9A7-26E4EB6EA58E}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{244727C8-8C6C-4D40-BE37-8582DAD624BB}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{22C9E5DA-77A9-4A33-AB95-1D14DDA41762}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AE04255A-53A9-4210-B0E9-FC5FB4B7CCFA}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{83093D29-EE4C-41DA-BAB1-131A028BD8CE}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{11424E98-A5DC-4721-A026-3325A21FCDEC}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{D2D99048-B65E-499D-9299-532EAECBBA83}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{96C9BD17-7920-4E0C-BC70-DD2DC81DA181}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{A529D022-B5B6-4961-9AF8-B85DEFD43D09}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{191F6774-3495-412E-99FC-45548E9568C4}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{08CED3F9-A3A4-4BE0-BD13-B7152BC755EE}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{BAD232F3-4F4C-4B0B-8CF3-A0967867F788}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{87D0621F-F8CD-42F6-BA10-40620CF5445A}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\\Nexon\\Combat Arms\\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\\Nexon\\Combat Arms\\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-06-03 06:22]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 03:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0187caff-0f44-11dd-8f80-806e6f6e6963}]
\shell\AutoRun\command - E:\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\Windows\Tasks\User_Feed_Synchronization-{45C44952-5CA1-46EC-A12D-3251E44D39EB}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-19 03:33]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1209252574\ee\AOLSoftware.exe
MSConfigStartUp-NapsterShell - C:\Program Files\Napster\napster.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Window Title =
O8 -: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 -: E&xport to Microsoft Excel
O8 -: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 -: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 -: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 12:46:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 12:49:01
ComboFix-quarantined-files.txt 2008-08-23 16:48:59

Pre-Run: 435,935,723,520 bytes free
Post-Run: 435,895,848,960 bytes free

345 --- E O F --- 2008-08-21 17:48:43










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:38 PM, on 8/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6887 bytes







2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2142 Sig Generator --> MsiExec.exe /I{89C586FF-3690-411F-BFFC-2C559116B8C3}
Absolute Uninstaller 2.5 --> "C:\Program Files\Absolute Uninstaller\unins000.exe"
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Astyle CSS editor 3.8 Beta 8 --> "C:\Program Files\Astyle CSS editor\Uninstall\unins000.exe"
Battlefield 2(TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
Battlefield 2142 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x9 -removeonly
BigFix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch --> C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch --> C:\Program Files\InstallShield Installation Information\{931C37FC-594D-43A9-B10F-A2F2B1F03498}\setup.exe -runfromtemp -l0x0409
Catalyst Control Center - Branding --> MsiExec.exe /I{BE3F26EE-F81B-4A50-8376-271F5CA84C5B}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61} /l1033
Download Manager 2.3.6 --> C:\Program Files\Download Manager\uninst.exe
DropBox --> "C:\Program Files\DropBox\Uninstall.exe"
EA Download Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
Empire Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2447500B-22D7-47BD-9B13-1A927F43A267}\Setup.exe"
Eraser --> "C:\ProgramData\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe" REMOVE=TRUE MODIFY=FALSE
Eraser --> C:\ProgramData\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe
FileZilla Client 3.1.0.1 --> C:\Program Files\FileZilla FTP Client\uninstall.exe
Fraps --> "C:\Fraps\uninstall.exe"
Gateway Connect --> MsiExec.exe /I{EE5EEDAF-F932-462B-A2CB-EEBDF819D5F5}
Gateway Recovery Center Installer --> MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}
Hamachi 1.0.3.0 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
LabelPrint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\Setup.exe" -uninstall
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Money Essentials --> "C:\Program Files\Microsoft Money 2007\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (English) --> MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Microsoft WSE 2.0 SP3 Runtime --> MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PingPlotter Standard 3.20.1s --> C:\Program Files\PingPlotter Standard\uninst.exe
Power2Go 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
PS2 Multimedia Keyboard Driver --> "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\setup.exe" -ul
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Real War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD5835F8-909A-11D5-AE12-0050BA40602F}\setup.exe"
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RTC Client API v1.2 --> MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A}
Security Update for 2007 Microsoft Office System (KB951596) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E}
Security Update for Microsoft Office Excel 2007 (KB951546) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}
Security Update for Microsoft Office PowerPoint 2007 (KB951338) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
SmartFTP Client --> MsiExec.exe /I{6F23C1A3-9F62-470C-BD12-B83F04E67865}
SmartFTP Client 3.0 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 3.0 Setup Files\uninst-sftp.exe
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe -U -I*.INF
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World in Conflict --> C:\Program Files\InstallShield Installation Information\{F11ADC64-C89E-47F4-A0B3-3665FF859397}\setup.exe -runfromtemp -l0x0009 -removeonly
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zune --> c:\Program Files\Zune\ZuneSetup.exe /x
Zune --> MsiExec.exe /X{FF70513F-E3A7-402F-84FB-B7810A064BE2}
Zune Language Pack (ES) --> MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}
Skuddbuster is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2008, 03:06 AM   #5 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Continuously getting a phishing attack
Hello again

Not seeing anything malicious in your logs, can you capture a screenshot of this phishing attack. Have you tried uninstalling Windows Live Messenger to see if the alerts stop, if so, reinstall Windows Live Messenger.

=========

Do you know what these folders are.

C:\Users\owner\Banned by me
C:\Users\owner\cc

=========

Click Start>Control Panel>Programs> remove the following:

Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 5
Leave Java(TM) 6 Update 7 installed
Viewpoint Media Player <---Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Additional Information Here
and Here

===========

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O13 - Gopher Prefix:

Please remember to close all other windows, including browsers then click Fix checked.

============

Go here and do the BitDefender online virus scan.

* Click "I Agree" to agree to the EULA.
* Allow the ActiveX control to install when prompted.
* Leave the scanning options at default and press "Click here to scan" to begin the scan.
* Please refrain from using the computer until the scan is finished.
* When the scan is finished, click on "Click here to export the scan results"
* Save the report to your desktop then come back here and post it in your next reply along with a new Hijack This log

=========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

==========
Logs Required
BitDefender Scan Report
Hiajckthis Log
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2008, 03:58 PM   #6 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 54
OS: Vista


Re: Continuously getting a phishing attack
First, I do know what those files are that you pointed out. Thanks.

Next, I could never get the BitDefender results to display. When I clicked to export them, it was an HTML document that when clicked, displayed nothing. However, It said if found 7 issues, and pointed to one .exe file in particular, that is Arcadeinstallfull108c, which apparently is gamespy arcade for online gaming. Its in a program file of a game that is on my computer. So, I think that may be a false positive.

==================================================================================================================

Next, when I was getting the phishing alert, here is what it said it found:

C:\Users\owner\AppData\Roaming\Microsoft\Windows\Cookies\owner@atdmt[1].txt

detected: riskware Trojan.generic Running process: C:\USERS\OWNER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MATLCILX\WICSETUP-DM[1].EXE

--------------------------------------------------------------------------------------------------------------------------------------------------

Also, when attemting to download combo fix I got the following warnings, (just a reminder, this happened when attempting to download combofix, not when trying to use it. In your instructions you stated to download it, then disable antivirus, and disconnect from the web) not sure if thats important or not:

quarantined: virus Heur.Invader (modification) File: C:\Users\owner\Desktop\ComboFix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe

detected: virus Heur.Invader (modification) URL: http://download.bleepingcomputer.com.../catchme.cfexe

detected: virus Heur.Invader (modification) URL: http://www.forospyware.com/sUBs/Comb.../catchme.cfexe

detected: virus Heur.Invader (modification) URL: http://subs.geekstogo.com/ComboFix.e.../catchme.cfexe

detected: virus Heur.Invader (modification) URL: http://www.techsupportforum.com/sect.../catchme.cfexe



==================================================================================================================

Last, as requested the follow up HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:28 PM, on 8/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6780 bytes


Thanks!
Skuddbuster is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2008, 04:21 PM   #7 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Continuously getting a phishing attack
Go to these folders and see if there are any files inside, if so, make a note of them and post that info in your reply.

C:\Users\owner\Banned by me
C:\Users\owner\cc

=======

Quote:
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Cookies\owner@atdmt[1].txt

detected: riskware Trojan.generic Running process: C:\USERS\OWNER\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MATLCILX\WICSETUP-DM[1].EXE
You can remove these by doing this:

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.

SpyWareBlaster is a good free programme that blocks tracking cookies and malicious active x controls.

Quote:
Also, when attemting to download combo fix I got the following warnings, (just a reminder, this happened when attempting to download combofix, not when trying to use it. In your instructions you stated to download it, then disable antivirus, and disconnect from the web) not sure if thats important or not:
Kaspersky and Combofix do not get on together, put Combofix in the trusted zone if asked again.

===========

Download Malwarebytes ' Anti-Malware at Here or Here Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

==========
Logs Required
MBAM.log
Hijackthis Log
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 02:22 AM   #8 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 54
OS: Vista


Re: Continuously getting a phishing attack
I know what those 2 files are there is nothing malicious in them. They were created by me.



Malwarebytes' Anti-Malware 1.25
Database version: 1083
Windows 6.0.6001 Service Pack 1

8:11:43 PM 8/24/2008
mbam-log-08-24-2008 (20-11-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 114452
Time elapsed: 35 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:13 AM, on 8/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6607 bytes


Thanks
Skuddbuster is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 04:57 AM   #9 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP


Re: Continuously getting a phishing attack
Hello,

Delete MSNCleaner.zip and MsnCleaner.exe from your desktop, you can keep MalwareBytes` Anti-malware if you wish.

============

Well done, your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

===============

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.


Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Malwarebytes ' Anti-Malware

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
BT to dump Phorm, see Here for more information. No DPI

If we have helped you in anyway, please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-25-2008, 01:55 PM   #10 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 54
OS: Vista


Re: Continuously getting a phishing attack
resolved. Thank you
Skuddbuster is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:17 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85