Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Fake Security Center Infection [RESOLVED]


  • This topic is locked This topic is locked

#1
avishayil

avishayil

    Member

  • Member
  • PipPip
  • 10 posts
Hello helpers!
I really need some attention here, I got a fake Security Center spyware virus...
It disables me the possibility to open Task Manager in any way, and revokes Administrator rights.
Also, its opening fake security center going to this site(DO NOT ENTER EVER!!!!): h**p://ant*spywar*updat*s.net (DO NOT ENTER EVER!!!) (Website masked to prevent enterance).
I have looked about the resolved thread, and tried the steps there, didnt help.
Can someone guide me to solution?
Thanks,
Avishay from Israel.

Edited by avishayil, 09 March 2008 - 06:37 AM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello avishayil

Welcome to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile: hjackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26, on 2008-03-09
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Imprivata\SSOManHost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\r_server.exe
d:\sapdb\programs\web\pgm\wahttp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Imprivata\ISXHost.exe
d:\sapdb\programs\pgm\serv.exe
C:\Program Files\Imprivata\XyLoc.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cpi.checkpoin...PHome/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-scan3.c...t.com/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: SSO Browser Helper Object - {A683EEA9-ECFA-45A2-BCA9-7D9D54AD58AE} - C:\Program Files\Imprivata\ISXBho.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: NuSphere ToolBar - {0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - C:\Program Files\nusphere\phped\NuSphereIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SAPSMC] C:\WINDOWS\system32\mmc.exe "C:/WINDOWS\SAPMMC.MSC"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-21-2282855109-2227715834-790780181-1012\..\Run: [Exodus] C:\Program Files\Exodus\Exodus.exe (User 'SAPServiceDAB')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Pandion.lnk = C:\Program Files\Pandion\Pandion.exe
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: NuSphere PhpED :: Debug this page - res://C:\Program Files\nusphere\phped\NuSphereIEBar.dll/1000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://mustang-il-st.../siebelhtml.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://mustang-il-st...lOptionPack.cab
O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://mustang-il-st...tMailClient.cab
O16 - DPF: {C0D2212A-5EF2-44F8-9441-1DB60F128112} (Siebel Option Pack for IE 7.5.3) - http://mustang-il-st...lOptionPack.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.checkpoint.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O21 - SSODL: SysAlrt - {9839e66d-b275-49ef-8e42-0b5d4e906787} - C:\WINDOWS\Installer\{9839e66d-b275-49ef-8e42-0b5d4e906787}\SysAlrt.dll
O21 - SSODL: zip - {0543c7c4-fed3-4762-a10e-76559d1e6c20} - C:\WINDOWS\Installer\{0543c7c4-fed3-4762-a10e-76559d1e6c20}\zip.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: SAPDB: .M750044 (SAP DBTech-.M750044) - MySQL MaxDB - c:\sapdb\dab\db\pgm\kernel.exe
O23 - Service: SAPDB: .M750044 (quick) (SAP DBTech-.M750044 (quick)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\quickknl.exe
O23 - Service: SAPDB: .M750044 (slow) (SAP DBTech-.M750044 (slow)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\slowknl.exe
O23 - Service: SAPDB: .M750044 (omststknl.exe) (SAP DBTech-.M750044 (test)) - Unknown owner - c:\sapdb\dab\db\pgm\omststknl.exe (file missing)
O23 - Service: SAPDB: DAB (SAP DBTech-DAB) - MySQL MaxDB - c:\sapdb\dab\db\pgm\kernel.exe
O23 - Service: SAPDB: DAB (quick) (SAP DBTech-DAB (quick)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\quickknl.exe
O23 - Service: SAPDB: DAB (slow) (SAP DBTech-DAB (slow)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\slowknl.exe
O23 - Service: SAPDB: DAB (omststknl.exe) (SAP DBTech-DAB (test)) - Unknown owner - c:\sapdb\dab\db\pgm\omststknl.exe (file missing)
O23 - Service: SAPDAB_00 - SAP AG - D:\usr\sap\DAB\JC00\exe\sapstartsrv.exe
O23 - Service: SAPDAB_01 - SAP AG - D:\usr\sap\DAB\SCS01\exe\sapstartsrv.exe
O23 - Service: SAP DB WWW (SAPDBWWW) - Unknown owner - d:\sapdb\programs\web\pgm\wahttp.exe
O23 - Service: SAPDBXIE - Unknown owner - d:\sapdb\programs\web\pgm\sapdbxie.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SSO Manager Host (SSOManHost) - Imprivata, Inc. - C:\Program Files\Imprivata\SSOManHost.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XServer - MySQL MaxDB - d:\sapdb\programs\pgm\serv.exe
O23 - Service: XyLoc Security System - Unknown owner - C:\Program Files\Imprivata\XyLoc.exe

--
End of file - 13066 bytes
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile: log.txt

ComboFix 08-03-08.2 - avishayb 2008-03-09 15:32:29.3 - NTFSx86
Running from: C:\Documents and Settings\avishayb\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\Windows\Temp\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 15:39 . 2008-03-09 15:39 <DIR> d-------- C:\Program Files\seekmo
2008-03-09 15:23 . 2008-03-09 15:23 25,088 --a------ C:\WINDOWS\asycfilt32.dll
2008-03-09 15:23 . 2008-03-09 15:23 11,776 --a------ C:\WINDOWS\123messenger.per
2008-03-09 15:21 . 2008-03-09 15:21 <DIR> d-------- C:\Program Files\zango
2008-03-09 15:21 . 2008-03-09 15:21 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-09 15:21 . 2008-03-09 15:21 <DIR> d-------- C:\Program Files\stc
2008-03-09 15:21 . 2008-03-09 15:21 <DIR> d-------- C:\Program Files\180solutions
2008-03-09 15:21 . 2008-03-09 15:21 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-09 15:21 . 2008-03-09 15:21 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 14:48 . 2008-03-09 14:48 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Grisoft
2008-03-09 14:47 . 2008-03-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 14:47 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-09 14:43 . 2008-03-09 14:43 <DIR> d-------- C:\_OTMoveIt
2008-03-09 13:09 . 2008-03-09 13:09 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-09 12:18 . 2008-03-09 13:07 31,488 --a------ C:\WINDOWS\didduid.ini
2008-03-09 12:18 . 2008-03-09 12:19 312 --a------ C:\WINDOWS\wininit.ini
2008-03-09 11:42 . 2008-03-09 11:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-09 11:42 . 2008-03-09 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-09 11:38 . 2008-03-09 11:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Pandion
2008-03-09 11:32 . 2008-03-09 11:32 88,587 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-09 10:22 . 2008-03-09 10:34 <DIR> d-------- C:\Program Files\Total Commander
2008-03-09 09:34 . 2008-03-09 09:34 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-04 10:14 . 2008-03-04 10:14 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Thinstall
2008-03-03 17:05 . 2008-03-03 17:05 <DIR> d-------- C:\Program Files\Pandion
2008-03-03 17:05 . 2008-03-03 17:56 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Pandion
2008-03-03 14:54 . 2008-03-03 14:58 <DIR> d-------- C:\Program Files\ARS Server
2008-03-02 10:03 . 2008-03-02 10:03 <DIR> d-------- C:\Program Files\Salling Software AB
2008-03-02 10:03 . 2008-03-02 10:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 10:03 . 2008-03-02 10:03 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Salling Software AB
2008-03-02 10:03 . 2008-03-02 10:03 360,580 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-03-02 10:03 . 2008-03-02 10:03 385 --a------ C:\WINDOWS\{2158ED55-19D1-4C0C-B213-5EFF748248AC}_WiseFW.ini
2008-02-21 12:12 . 2008-02-21 12:59 <DIR> d-------- C:\Program Files\DJ Jukebox
2008-02-21 12:11 . 2008-02-21 12:13 <DIR> d-------- C:\Program Files\Common Files\System-G
2008-02-18 12:12 . 2008-02-18 12:12 <DIR> d-------- C:\Program Files\DFX
2008-02-18 12:12 . 2008-02-18 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-02-18 12:10 . 2008-02-18 12:14 <DIR> d-------- C:\Program Files\Winamp
2008-02-18 12:10 . 2008-02-18 12:14 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Winamp
2008-02-18 11:55 . 2008-02-18 12:14 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Quintessential Player
2008-02-14 15:24 . 2007-12-01 00:25 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-02-14 15:23 . 2008-02-14 15:23 <DIR> d-------- C:\WINDOWS\system32\en
2008-02-14 15:23 . 2008-02-14 15:23 <DIR> d-------- C:\WINDOWS\system32\bits
2008-02-14 15:23 . 2008-02-14 15:23 <DIR> d-------- C:\WINDOWS\l2schemas
2008-02-14 15:23 . 2007-12-01 00:26 32,866 --------- C:\WINDOWS\slrundll.exe
2008-02-14 15:18 . 2008-02-14 15:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-14 15:11 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003349_.tmp
2008-02-14 14:25 . 2006-02-20 20:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-02-14 14:25 . 2003-09-23 16:42 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-02-14 14:25 . 2006-04-11 21:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-02-14 14:25 . 2006-07-11 21:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-02-14 14:25 . 2003-09-23 16:42 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-02-14 11:37 . 2008-02-14 14:24 <DIR> d-------- C:\Garmin
2008-02-14 11:15 . 2008-03-04 18:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:09 . 2008-02-14 11:09 <DIR> d-------- C:\Program Files\Mobiola Remote Control
2008-02-14 11:09 . 2007-09-18 12:25 114,688 --a------ C:\WINDOWS\system32\BTCamVideoSource.dll
2008-02-13 17:50 . 2008-02-13 17:50 <DIR> d-------- C:\Program Files\NiiMe
2008-02-13 17:49 . 2008-02-13 17:49 <DIR> d-------- C:\Program Files\NiiMeWheel
2008-02-12 11:53 . 2008-02-18 10:43 1,893 --a------ C:\WINDOWS\mozver.dat
2008-02-12 11:46 . 2008-02-12 11:46 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Talkback
2008-02-12 11:46 . 2008-02-12 11:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-11 12:08 . 2008-02-11 12:08 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\CheckPoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 13:19 --------- d-----w C:\Program Files\Altiris
2008-03-09 12:21 --------- d-----w C:\Program Files\Trend Micro
2008-03-09 11:38 833,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-09 11:38 75,536 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-09 11:38 226,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 11:38 19,599,136 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 11:38 11,556,398 ----a-w C:\WINDOWS\Internet Logs\tvDebug.Zip
2008-03-09 10:20 --------- d-----w C:\Program Files\pdf995
2008-03-09 09:21 --------- d-----w C:\Program Files\FlashGet
2008-03-05 12:15 3,582,464 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-03-05 12:14 2,499,072 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-03-04 14:16 --------- d-----w C:\Program Files\ICQ6
2008-03-03 15:41 --------- d-----w C:\Documents and Settings\avishayb\Application Data\SQLyog
2008-02-25 09:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 21:00 55,808 ----a-w C:\WINDOWS\system32\DevCon.exe
2008-02-14 21:00 3,072 ----a-w C:\WINDOWS\system32\Mswtif.dll
2008-02-14 21:00 24,576 ----a-w C:\WINDOWS\NOCLOSE.PIF
2008-02-14 09:10 2,758,656 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-11 10:07 --------- d-----w C:\Program Files\CheckPoint
2008-02-07 15:05 --------- d-----w C:\Documents and Settings\avishayb\Application Data\GUIB
2008-02-07 13:45 --------- d-----w C:\Documents and Settings\avishayb\Application Data\Wing IDE 3
2008-02-07 13:05 --------- d-----w C:\Program Files\Wing IDE 3.0
2008-02-07 08:30 --------- d-----w C:\Program Files\Common Files\Symbian
2008-02-07 08:04 --------- d-----w C:\Program Files\CSL Arm Toolchain
2008-02-07 08:04 --------- d-----w C:\Program Files\Common Files\SDK Descriptors
2008-02-06 12:11 --------- d-----w C:\Program Files\CLEAREVO.com
2008-02-05 15:17 22,016 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-05 15:17 2,216,448 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-05 15:14 80,384 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-05 13:16 --------- d-----w C:\Program Files\Microsoft Virtual PC
2008-02-05 12:45 2,087,424 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-05 07:52 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-02-05 07:52 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-02-05 07:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-05 07:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-05 07:28 --------- d-----w C:\Program Files\Microsoft Works
2008-02-05 07:20 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-02-05 07:20 --------- d-----w C:\Documents and Settings\avishayb\Application Data\DAEMON Tools
2008-02-05 07:15 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-02-04 10:17 --------- d-----w C:\Documents and Settings\avishayb\Application Data\PC Suite
2008-02-03 09:06 0 ----a-w C:\Documents and Settings\granit\ISXAudit.DAT
2008-01-30 08:30 2,237,952 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-30 07:58 --------- d-----w C:\Program Files\Imprivata
2008-01-28 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-28 14:19 --------- d-----w C:\Program Files\FLV Player
2008-01-28 14:18 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 14:34 --------- d-----w C:\Program Files\Smallvideosoft
2008-01-27 08:22 --------- d-----w C:\Documents and Settings\avishayb\Application Data\NuSphere
2008-01-27 08:19 --------- d-----w C:\Program Files\MySQL
2008-01-27 08:18 --------- d-----w C:\Program Files\nusphere
2008-01-27 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\NuSphere
2008-01-27 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-27 08:13 --------- d-----w C:\Program Files\EasyPHP 2.0b1
2008-01-24 18:36 --------- d-----w C:\Program Files\SQLyog Community
2008-01-23 00:46 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-01-22 09:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-01-21 16:01 --------- d-----w C:\Program Files\ExamDiff
2008-01-20 08:16 --------- d-----w C:\Documents and Settings\avishayb\Application Data\skypePM
2008-01-17 16:23 2,516 ----a-w C:\WINDOWS\system32\drivers\sdboot.bin
2008-01-17 16:23 2,235,408 ----a-w C:\WINDOWS\system32\drivers\fw.sys
2008-01-17 16:22 106,592 ----a-w C:\WINDOWS\system32\fwnetcfg.dll
2008-01-15 08:00 --------- d-----w C:\Documents and Settings\avishayb\Application Data\Nokia
2008-01-14 13:26 --------- d-----w C:\Documents and Settings\avishayb\Application Data\Nokia Multimedia Player
2008-01-14 11:01 --------- d-----w C:\Documents and Settings\avishayb\Application Data\ICQ
2008-01-14 08:47 --------- d-----w C:\Program Files\Symbian OS Tools
2008-01-14 08:47 --------- d-----w C:\Documents and Settings\avishayb\Application Data\InstallShield
2008-01-13 08:44 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-10 16:44 --------- d-----w C:\Program Files\Nokia
2008-01-10 16:44 --------- d-----w C:\Program Files\Common Files\Nokia
2008-01-10 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-10 16:22 --------- d-----w C:\Program Files\NSS
2008-01-10 09:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-10 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-09 09:16 106,496 ----a-w C:\WINDOWS\system32\SSOCareFx.dll
2007-12-12 06:33 480,736 ----a-w C:\WINDOWS\system32\icslta.dll
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\SAPServiceDAB\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\nwadmin\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\novadia\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\gadir\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\Default User\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\dabadm\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\avishayb\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\Administrator\ISXAudit.DAT
2004-10-27 18:40 331,776 ----a-w C:\Documents and Settings\nwadmin\sapinstevents.dll
.

------- Sigcheck -------

2007-06-27 16:40 824320 9226919fbb14f5ab12859c05e474dd77 C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2004-08-04 10:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-21 05:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$NtUninstallKB925454$\wininet.dll
2006-10-23 17:34 664576 231ef4179acabe486376b5ca893f1076 C:\WINDOWS\$NtUninstallKB937143$\wininet.dll
2007-06-26 16:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\$NtUninstallKB939653$\wininet.dll
2007-08-22 14:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:\WINDOWS\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-06-27 16:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\system32\wininet.dll
2007-06-27 16:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-03-09_13.54.11.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 11:40:13 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
+ 2008-03-09 12:30:40 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
2008-01-28 18:27 390616 --a------ C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A683EEA9-ECFA-45A2-BCA9-7D9D54AD58AE}]
2008-01-09 11:16 262144 --a------ C:\Program Files\Imprivata\ISXBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll" [2008-01-28 18:27 390616]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll [2008-01-28 18:27 390616]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 22:33 106904]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 18:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 16:16 356352]
"SAPSMC"="C:\WINDOWS\system32\mmc.exe" [2007-12-01 00:26 1414656]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Pandion.lnk - C:\Program Files\Pandion\Pandion.exe [2006-01-11 03:06:07 993792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysAlrt"= {9839e66d-b275-49ef-8e42-0b5d4e906787} - C:\WINDOWS\Installer\{9839e66d-b275-49ef-8e42-0b5d4e906787}\SysAlrt.dll [2008-03-09 09:34 14374]
"zip"= {0543c7c4-fed3-4762-a10e-76559d1e6c20} - C:\WINDOWS\Installer\{0543c7c4-fed3-4762-a10e-76559d1e6c20}\zip.dll [2008-03-09 09:34 22686]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2006-04-09 21:24 24674 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3009975827-1942386155-3087368816-24128\Scripts\Logon\0\0]
"Script"=OneSignAgent_ver2.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll, wowfx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^avishayb^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\avishayb\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^avishayb^Start Menu^Programs^Startup^Mobiola Remote Control.lnk]
path=C:\Documents and Settings\avishayb\Start Menu\Programs\Startup\Mobiola Remote Control.lnk
backup=C:\WINDOWS\pss\Mobiola Remote Control.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^avishayb^Start Menu^Programs^Startup^Total Commander.lnk]
path=C:\Documents and Settings\avishayb\Start Menu\Programs\Startup\Total Commander.lnk
backup=C:\WINDOWS\pss\Total Commander.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-12-01 00:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Exodus]
--a------ 2003-07-02 18:39 2738688 C:\Program Files\Exodus\Exodus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExodusLoader]
--a------ 2004-10-17 09:50 49152 c:\progra~1\exodusloader\exodusloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 10:10 2007088 C:\Program Files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 19:07 61952 C:\WINDOWS\system32\hdashcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-03-03 14:08 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 15:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 15:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW]
--a------ 2008-01-28 18:23 200781 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISXAgent]
--a------ 2008-01-09 11:16 1290240 C:\Program Files\Imprivata\ISXAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JSPEdit]
C:\Documents and Settings\avishayb\Desktop\projvisualstudio\Solution1.sln

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 15:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--a------ 2006-02-07 16:16 356352 C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 15:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 15:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-20 20:01 525824 C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinClicker.exe]
--a------ 2007-05-11 11:25 1150976 C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
--a------ 2008-01-23 02:47 939496 C:\Program Files\CheckPoint\Integrity Client\iclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-01-23 02:47 939496 C:\Program Files\Checkpoint\Integrity Client\iclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\system32\\winav.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service []
R2 SAPDAB_00;SAPDAB_00;D:\usr\sap\DAB\JC00\exe\sapstartsrv.exe pf=D:\usr\sap\DAB\SYS\profile\START_JC00_avishayb-7100 []
R2 SAPDAB_01;SAPDAB_01;D:\usr\sap\DAB\SCS01\exe\sapstartsrv.exe pf=D:\usr\sap\DAB\SYS\profile\START_SCS01_avishayb-7100 []
R2 SAPDBWWW;SAP DB WWW;d:\sapdb\programs\web\pgm\wahttp.exe [2005-06-16 12:14]
R2 SSOManHost;SSO Manager Host;"C:\Program Files\Imprivata\SSOManHost.exe" [2008-01-09 11:09]
R2 XServer;XServer;d:\sapdb\programs\pgm\serv.exe [2007-04-10 22:19]
R2 XyLoc Security System;XyLoc Security System;"C:\Program Files\Imprivata\XyLoc.exe" [2007-06-13 11:38]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2008-01-17 18:23]
S2 MailService;Rational ClearQuest Mail Service;"C:\Program Files\Rational\ClearQuest\mailservice.exe" [2005-06-08 11:02]
S3 icsak;icsak;C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys [2008-01-28 18:25]
S3 SAP DBTech-.M750044 (quick);SAPDB: .M750044 (quick);c:\sapdb\dab\db\pgm\quickknl.exe [2007-04-11 01:16]
S3 SAP DBTech-.M750044 (slow);SAPDB: .M750044 (slow);c:\sapdb\dab\db\pgm\slowknl.exe [2007-04-11 02:11]
S3 SAP DBTech-.M750044 (test);SAPDB: .M750044 (omststknl.exe);c:\sapdb\dab\db\pgm\omststknl.exe []
S3 SAP DBTech-.M750044;SAPDB: .M750044;c:\sapdb\dab\db\pgm\kernel.exe [2007-04-10 23:25]
S3 SAP DBTech-DAB (quick);SAPDB: DAB (quick);c:\sapdb\dab\db\pgm\quickknl.exe [2007-04-11 01:16]
S3 SAP DBTech-DAB (slow);SAPDB: DAB (slow);c:\sapdb\dab\db\pgm\slowknl.exe [2007-04-11 02:11]
S3 SAP DBTech-DAB (test);SAPDB: DAB (omststknl.exe);c:\sapdb\dab\db\pgm\omststknl.exe []
S3 SAP DBTech-DAB;SAPDB: DAB;c:\sapdb\dab\db\pgm\kernel.exe [2007-04-10 23:25]
S3 SAPDBXIE;SAPDBXIE;d:\sapdb\programs\web\pgm\sapdbxie.exe [2005-06-16 12:18]
S3 vsinstdv;vsinstdv;C:\DOCUME~1\avishayb\LOCALS~1\Temp\{CF20E9E4-4933-40D2-B305-CA9EDB585CA7}\vsinstdv.sys []
S4 IswSvc;ForceField IswSvc;"C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe" [2008-01-28 18:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 15:39:25
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-03-09 15:41:52
ComboFix-quarantined-files.txt 2008-03-09 13:41:23
ComboFix2.txt 2008-03-09 12:30:18
  • 0

#6
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
As we speak, got this:

Posted Image

And This:

Posted Image
  • 0

#7
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Another web page appeared automatically:
Posted Image

and another nice popup:
Posted Image
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\eSellerateEngine.dll
C:\WINDOWS\003349_.tmp
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\pss\findfast.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\winav.exe
Folder::
C:\WINDOWS\Installer\{9839e66d-b275-49ef-8e42-0b5d4e906787}
C:\WINDOWS\Installer\{0543c7c4-fed3-4762-a10e-76559d1e6c20}
C:\Program Files\seekmo
C:\Program Files\zango
C:\Program Files\Sysmnt
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\FLEOK
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt
================================================================================
Then::
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

Edited by kahdah, 09 March 2008 - 08:02 AM.

  • 0

#9
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile: log.txt

ComboFix 08-03-08.2 - avishayb 2008-03-09 16:06:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2384 [GMT 2:00]
Running from: C:\Documents and Settings\avishayb\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\avishayb\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\003349_.tmp
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\eSellerateEngine.dll
C:\WINDOWS\pss\findfast.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\winav.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\003349_.tmp
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\eSellerateEngine.dll
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\Windows\Temp\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 16:05 . 2008-03-09 16:05 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Malwarebytes
2008-03-09 16:04 . 2008-03-09 16:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-09 16:04 . 2008-03-09 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-09 15:23 . 2008-03-09 15:23 11,776 --a------ C:\WINDOWS\123messenger.per
2008-03-09 15:21 . 2008-03-09 15:21 <DIR> d-------- C:\Program Files\stc
2008-03-09 14:48 . 2008-03-09 14:48 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Grisoft
2008-03-09 14:47 . 2008-03-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 14:47 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-09 14:43 . 2008-03-09 14:43 <DIR> d-------- C:\_OTMoveIt
2008-03-09 12:18 . 2008-03-09 12:19 312 --a------ C:\WINDOWS\wininit.ini
2008-03-09 11:42 . 2008-03-09 11:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-09 11:42 . 2008-03-09 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-09 11:38 . 2008-03-09 11:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Pandion
2008-03-09 10:22 . 2008-03-09 10:34 <DIR> d-------- C:\Program Files\Total Commander
2008-03-09 09:34 . 2008-03-09 09:34 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-04 10:14 . 2008-03-04 10:14 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Thinstall
2008-03-03 17:05 . 2008-03-03 17:05 <DIR> d-------- C:\Program Files\Pandion
2008-03-03 17:05 . 2008-03-03 17:56 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Pandion
2008-03-03 14:54 . 2008-03-03 14:58 <DIR> d-------- C:\Program Files\ARS Server
2008-03-02 10:03 . 2008-03-02 10:03 <DIR> d-------- C:\Program Files\Salling Software AB
2008-03-02 10:03 . 2008-03-02 10:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 10:03 . 2008-03-02 10:03 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Salling Software AB
2008-03-02 10:03 . 2008-03-02 10:03 385 --a------ C:\WINDOWS\{2158ED55-19D1-4C0C-B213-5EFF748248AC}_WiseFW.ini
2008-02-21 12:12 . 2008-02-21 12:59 <DIR> d-------- C:\Program Files\DJ Jukebox
2008-02-21 12:11 . 2008-02-21 12:13 <DIR> d-------- C:\Program Files\Common Files\System-G
2008-02-18 12:12 . 2008-02-18 12:12 <DIR> d-------- C:\Program Files\DFX
2008-02-18 12:12 . 2008-02-18 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-02-18 12:10 . 2008-02-18 12:14 <DIR> d-------- C:\Program Files\Winamp
2008-02-18 12:10 . 2008-02-18 12:14 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Winamp
2008-02-18 11:55 . 2008-02-18 12:14 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Quintessential Player
2008-02-14 15:24 . 2007-12-01 00:25 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-02-14 15:23 . 2008-02-14 15:23 <DIR> d-------- C:\WINDOWS\system32\en
2008-02-14 15:23 . 2008-02-14 15:23 <DIR> d-------- C:\WINDOWS\system32\bits
2008-02-14 15:23 . 2008-02-14 15:23 <DIR> d-------- C:\WINDOWS\l2schemas
2008-02-14 15:23 . 2007-12-01 00:26 32,866 --------- C:\WINDOWS\slrundll.exe
2008-02-14 15:18 . 2008-02-14 15:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-14 14:25 . 2006-02-20 20:25 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-02-14 14:25 . 2003-09-23 16:42 17,024 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2008-02-14 14:25 . 2006-04-11 21:51 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-02-14 14:25 . 2006-07-11 21:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-02-14 14:25 . 2003-09-23 16:42 7,296 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2008-02-14 11:37 . 2008-02-14 14:24 <DIR> d-------- C:\Garmin
2008-02-14 11:15 . 2008-03-04 18:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:09 . 2008-02-14 11:09 <DIR> d-------- C:\Program Files\Mobiola Remote Control
2008-02-14 11:09 . 2007-09-18 12:25 114,688 --a------ C:\WINDOWS\system32\BTCamVideoSource.dll
2008-02-13 17:50 . 2008-02-13 17:50 <DIR> d-------- C:\Program Files\NiiMe
2008-02-13 17:49 . 2008-02-13 17:49 <DIR> d-------- C:\Program Files\NiiMeWheel
2008-02-12 11:53 . 2008-02-18 10:43 1,893 --a------ C:\WINDOWS\mozver.dat
2008-02-12 11:46 . 2008-02-12 11:46 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\Talkback
2008-02-12 11:46 . 2008-02-12 11:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-11 12:08 . 2008-02-11 12:08 <DIR> d-------- C:\Documents and Settings\avishayb\Application Data\CheckPoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 14:06 12,204,682 ----a-w C:\WINDOWS\Internet Logs\tvDebug.Zip
2008-03-09 13:19 --------- d-----w C:\Program Files\Altiris
2008-03-09 12:21 --------- d-----w C:\Program Files\Trend Micro
2008-03-09 11:38 833,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-09 11:38 75,536 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-09 11:38 226,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 11:38 19,599,136 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 10:20 --------- d-----w C:\Program Files\pdf995
2008-03-09 09:21 --------- d-----w C:\Program Files\FlashGet
2008-03-05 12:15 3,582,464 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-03-05 12:14 2,499,072 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-03-04 14:16 --------- d-----w C:\Program Files\ICQ6
2008-03-03 15:41 --------- d-----w C:\Documents and Settings\avishayb\Application Data\SQLyog
2008-02-25 09:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 21:00 55,808 ----a-w C:\WINDOWS\system32\DevCon.exe
2008-02-14 21:00 3,072 ----a-w C:\WINDOWS\system32\Mswtif.dll
2008-02-14 21:00 24,576 ----a-w C:\WINDOWS\NOCLOSE.PIF
2008-02-14 09:10 2,758,656 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-11 10:07 --------- d-----w C:\Program Files\CheckPoint
2008-02-07 15:05 --------- d-----w C:\Documents and Settings\avishayb\Application Data\GUIB
2008-02-07 13:45 --------- d-----w C:\Documents and Settings\avishayb\Application Data\Wing IDE 3
2008-02-07 13:05 --------- d-----w C:\Program Files\Wing IDE 3.0
2008-02-07 08:30 --------- d-----w C:\Program Files\Common Files\Symbian
2008-02-07 08:04 --------- d-----w C:\Program Files\CSL Arm Toolchain
2008-02-07 08:04 --------- d-----w C:\Program Files\Common Files\SDK Descriptors
2008-02-06 12:11 --------- d-----w C:\Program Files\CLEAREVO.com
2008-02-05 15:17 22,016 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-05 15:17 2,216,448 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-05 15:14 80,384 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-05 13:16 --------- d-----w C:\Program Files\Microsoft Virtual PC
2008-02-05 12:45 2,087,424 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-02-05 07:52 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-02-05 07:52 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-02-05 07:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-05 07:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-05 07:28 --------- d-----w C:\Program Files\Microsoft Works
2008-02-05 07:20 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-02-05 07:20 --------- d-----w C:\Documents and Settings\avishayb\Application Data\DAEMON Tools
2008-02-05 07:15 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-02-04 10:17 --------- d-----w C:\Documents and Settings\avishayb\Application Data\PC Suite
2008-02-03 09:06 0 ----a-w C:\Documents and Settings\granit\ISXAudit.DAT
2008-01-30 08:30 2,237,952 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-30 07:58 --------- d-----w C:\Program Files\Imprivata
2008-01-28 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-28 14:19 --------- d-----w C:\Program Files\FLV Player
2008-01-28 14:18 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 14:34 --------- d-----w C:\Program Files\Smallvideosoft
2008-01-27 08:22 --------- d-----w C:\Documents and Settings\avishayb\Application Data\NuSphere
2008-01-27 08:19 --------- d-----w C:\Program Files\MySQL
2008-01-27 08:18 --------- d-----w C:\Program Files\nusphere
2008-01-27 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\NuSphere
2008-01-27 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-27 08:13 --------- d-----w C:\Program Files\EasyPHP 2.0b1
2008-01-24 18:36 --------- d-----w C:\Program Files\SQLyog Community
2008-01-23 00:46 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-01-22 09:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-01-21 16:01 --------- d-----w C:\Program Files\ExamDiff
2008-01-20 08:16 --------- d-----w C:\Documents and Settings\avishayb\Application Data\skypePM
2008-01-17 16:23 2,516 ----a-w C:\WINDOWS\system32\drivers\sdboot.bin
2008-01-17 16:23 2,235,408 ----a-w C:\WINDOWS\system32\drivers\fw.sys
2008-01-17 16:22 106,592 ----a-w C:\WINDOWS\system32\fwnetcfg.dll
2008-01-15 08:00 --------- d-----w C:\Documents and Settings\avishayb\Application Data\Nokia
2008-01-14 13:26 --------- d-----w C:\Documents and Settings\avishayb\Application Data\Nokia Multimedia Player
2008-01-14 11:01 --------- d-----w C:\Documents and Settings\avishayb\Application Data\ICQ
2008-01-14 08:47 --------- d-----w C:\Program Files\Symbian OS Tools
2008-01-14 08:47 --------- d-----w C:\Documents and Settings\avishayb\Application Data\InstallShield
2008-01-13 08:44 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-10 16:44 --------- d-----w C:\Program Files\Nokia
2008-01-10 16:44 --------- d-----w C:\Program Files\Common Files\Nokia
2008-01-10 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-10 16:22 --------- d-----w C:\Program Files\NSS
2008-01-10 09:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-10 08:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-09 09:16 106,496 ----a-w C:\WINDOWS\system32\SSOCareFx.dll
2007-12-12 06:33 480,736 ----a-w C:\WINDOWS\system32\icslta.dll
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\SAPServiceDAB\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\nwadmin\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\novadia\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\gadir\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\Default User\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\dabadm\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\avishayb\ISXAudit.DAT
2007-10-31 12:14 8 ----a-w C:\Documents and Settings\Administrator\ISXAudit.DAT
2004-10-27 18:40 331,776 ----a-w C:\Documents and Settings\nwadmin\sapinstevents.dll
.

------- Sigcheck -------

2007-06-27 16:40 824320 9226919fbb14f5ab12859c05e474dd77 C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2004-08-04 10:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-21 05:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$NtUninstallKB925454$\wininet.dll
2006-10-23 17:34 664576 231ef4179acabe486376b5ca893f1076 C:\WINDOWS\$NtUninstallKB937143$\wininet.dll
2007-06-26 16:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\$NtUninstallKB939653$\wininet.dll
2007-08-22 14:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:\WINDOWS\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-12-01 00:26 666112 e7f441cde6e418bb68fc700872c004a0 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-06-27 16:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\system32\wininet.dll
2007-06-27 16:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-03-09_13.54.11.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 11:40:13 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
+ 2008-03-09 13:39:38 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
2008-01-28 18:27 390616 --a------ C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A683EEA9-ECFA-45A2-BCA9-7D9D54AD58AE}]
2008-01-09 11:16 262144 --a------ C:\Program Files\Imprivata\ISXBho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll" [2008-01-28 18:27 390616]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll [2008-01-28 18:27 390616]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 22:33 106904]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 18:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 16:16 356352]
"SAPSMC"="C:\WINDOWS\system32\mmc.exe" [2007-12-01 00:26 1414656]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Pandion.lnk - C:\Program Files\Pandion\Pandion.exe [2006-01-11 03:06:07 993792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysAlrt"= {9839e66d-b275-49ef-8e42-0b5d4e906787} - C:\WINDOWS\Installer\{9839e66d-b275-49ef-8e42-0b5d4e906787}\SysAlrt.dll [2008-03-09 09:34 14374]
"zip"= {0543c7c4-fed3-4762-a10e-76559d1e6c20} - C:\WINDOWS\Installer\{0543c7c4-fed3-4762-a10e-76559d1e6c20}\zip.dll [2008-03-09 09:34 22686]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2006-04-09 21:24 24674 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3009975827-1942386155-3087368816-24128\Scripts\Logon\0\0]
"Script"=OneSignAgent_ver2.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll, wowfx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^avishayb^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\avishayb\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^avishayb^Start Menu^Programs^Startup^Mobiola Remote Control.lnk]
path=C:\Documents and Settings\avishayb\Start Menu\Programs\Startup\Mobiola Remote Control.lnk
backup=C:\WINDOWS\pss\Mobiola Remote Control.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^avishayb^Start Menu^Programs^Startup^Total Commander.lnk]
path=C:\Documents and Settings\avishayb\Start Menu\Programs\Startup\Total Commander.lnk
backup=C:\WINDOWS\pss\Total Commander.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-12-01 00:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Exodus]
--a------ 2003-07-02 18:39 2738688 C:\Program Files\Exodus\Exodus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExodusLoader]
--a------ 2004-10-17 09:50 49152 c:\progra~1\exodusloader\exodusloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 10:10 2007088 C:\Program Files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 19:07 61952 C:\WINDOWS\system32\hdashcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-03-03 14:08 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 15:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 15:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW]
--a------ 2008-01-28 18:23 200781 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISXAgent]
--a------ 2008-01-09 11:16 1290240 C:\Program Files\Imprivata\ISXAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JSPEdit]
C:\Documents and Settings\avishayb\Desktop\projvisualstudio\Solution1.sln

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 15:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--a------ 2006-02-07 16:16 356352 C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 15:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 15:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-20 20:01 525824 C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinClicker.exe]
--a------ 2007-05-11 11:25 1150976 C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
--a------ 2008-01-23 02:47 939496 C:\Program Files\CheckPoint\Integrity Client\iclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-01-23 02:47 939496 C:\Program Files\Checkpoint\Integrity Client\iclient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service []
R2 SAPDAB_00;SAPDAB_00;D:\usr\sap\DAB\JC00\exe\sapstartsrv.exe pf=D:\usr\sap\DAB\SYS\profile\START_JC00_avishayb-7100 []
R2 SAPDAB_01;SAPDAB_01;D:\usr\sap\DAB\SCS01\exe\sapstartsrv.exe pf=D:\usr\sap\DAB\SYS\profile\START_SCS01_avishayb-7100 []
R2 SAPDBWWW;SAP DB WWW;d:\sapdb\programs\web\pgm\wahttp.exe [2005-06-16 12:14]
R2 SSOManHost;SSO Manager Host;"C:\Program Files\Imprivata\SSOManHost.exe" [2008-01-09 11:09]
R2 XServer;XServer;d:\sapdb\programs\pgm\serv.exe [2007-04-10 22:19]
R2 XyLoc Security System;XyLoc Security System;"C:\Program Files\Imprivata\XyLoc.exe" [2007-06-13 11:38]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2008-01-17 18:23]
S2 MailService;Rational ClearQuest Mail Service;"C:\Program Files\Rational\ClearQuest\mailservice.exe" [2005-06-08 11:02]
S3 icsak;icsak;C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys [2008-01-28 18:25]
S3 SAP DBTech-.M750044 (quick);SAPDB: .M750044 (quick);c:\sapdb\dab\db\pgm\quickknl.exe [2007-04-11 01:16]
S3 SAP DBTech-.M750044 (slow);SAPDB: .M750044 (slow);c:\sapdb\dab\db\pgm\slowknl.exe [2007-04-11 02:11]
S3 SAP DBTech-.M750044 (test);SAPDB: .M750044 (omststknl.exe);c:\sapdb\dab\db\pgm\omststknl.exe []
S3 SAP DBTech-.M750044;SAPDB: .M750044;c:\sapdb\dab\db\pgm\kernel.exe [2007-04-10 23:25]
S3 SAP DBTech-DAB (quick);SAPDB: DAB (quick);c:\sapdb\dab\db\pgm\quickknl.exe [2007-04-11 01:16]
S3 SAP DBTech-DAB (slow);SAPDB: DAB (slow);c:\sapdb\dab\db\pgm\slowknl.exe [2007-04-11 02:11]
S3 SAP DBTech-DAB (test);SAPDB: DAB (omststknl.exe);c:\sapdb\dab\db\pgm\omststknl.exe []
S3 SAP DBTech-DAB;SAPDB: DAB;c:\sapdb\dab\db\pgm\kernel.exe [2007-04-10 23:25]
S3 SAPDBXIE;SAPDBXIE;d:\sapdb\programs\web\pgm\sapdbxie.exe [2005-06-16 12:18]
S3 vsinstdv;vsinstdv;C:\DOCUME~1\avishayb\LOCALS~1\Temp\{CF20E9E4-4933-40D2-B305-CA9EDB585CA7}\vsinstdv.sys []
S4 IswSvc;ForceField IswSvc;"C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe" [2008-01-28 18:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 16:12:19
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-03-09 16:14:09
ComboFix-quarantined-files.txt 2008-03-09 14:14:04
ComboFix2.txt 2008-03-09 13:41:55
ComboFix3.txt 2008-03-09 12:30:18

Logfile BEFORE REBOOTING: mbam-log-3-9-2008(17-46-41).txt

Malwarebytes' Anti-Malware 1.07
Database version: 470

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 298096
Time elapsed: 1 hour(s), 24 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Installer\{9839e66d-b275-49ef-8e42-0b5d4e906787}\SysAlrt.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\WINDOWS\Installer\{0543c7c4-fed3-4762-a10e-76559d1e6c20}\zip.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\Program Files\IE Extensions\cj.v2.dll (Trojan.BHO) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9839e66d-b275-49ef-8e42-0b5d4e906787} (Trojan.Alphabet) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0543c7c4-fed3-4762-a10e-76559d1e6c20} (Trojan.Alphabet) -> Delete on reboot.
HKEY_CLASSES_ROOT\cj.cjmgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cj.cjmgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CJ.cjmgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CJ.cjmgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysAlrt (Trojan.Alphabet) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Alphabet) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Qhost) -> Data: wowfx.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\Installer\{9839e66d-b275-49ef-8e42-0b5d4e906787} (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{0543c7c4-fed3-4762-a10e-76559d1e6c20} (Trojan.Alphabet) -> Delete on reboot.
C:\Program Files\SystemDefender (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Program Files\SysCleaner (Rogue.SysCleaner) -> Quarantined and deleted successfully.
C:\Program Files\IE Extensions (Trojan.BHO) -> Delete on reboot.

Files Infected:
C:\WINDOWS\Installer\{9839e66d-b275-49ef-8e42-0b5d4e906787}\SysAlrt.dll (Trojan.Alphabet) -> Delete on reboot.
C:\WINDOWS\Installer\{0543c7c4-fed3-4762-a10e-76559d1e6c20}\zip.dll (Trojan.Alphabet) -> Delete on reboot.
C:\QooBox\Quarantine\C\Program Files\ucleaner_setup.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP157\A0058352.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wowfx.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\Program Files\IE Extensions\cj.v2.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\tmp11175734.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Program Files\tmp11176265.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Program Files\tmp11181218.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Program Files\ucleaner_setup.exe (Adware.UCleaner) -> Quarantined and deleted successfully.
C:\Program Files\udefender_setup.exe (Adware.UDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\avishayb\Application Data\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\etc\services.1 (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
  • 0

#10
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Items cannot be removed BEFORE REBOOTING:
Posted Image
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Can you please post a new Hijackthis log please also let me know how things are running?
  • 0

#12
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile: hjackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:00, on 03/09/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Imprivata\SSOManHost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
d:\sapdb\programs\web\pgm\wahttp.exe
C:\Program Files\Imprivata\ISXHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
d:\sapdb\programs\pgm\serv.exe
C:\Program Files\Imprivata\XyLoc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\FF97A0.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
\joan.ad.checkpoint.com\netlogon\ExodusLoader_Check.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Pandion\Pandion.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cpi.checkpoin...PHome/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-scan3.c...t.com/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SSO Browser Helper Object - {A683EEA9-ECFA-45A2-BCA9-7D9D54AD58AE} - C:\Program Files\Imprivata\ISXBho.dll
O2 - BHO: cj helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\IE Extensions\cj.v2.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: NuSphere ToolBar - {0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - C:\Program Files\nusphere\phped\NuSphereIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SAPSMC] C:\WINDOWS\system32\mmc.exe "C:/WINDOWS\SAPMMC.MSC"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-21-2282855109-2227715834-790780181-1012\..\Run: [Exodus] C:\Program Files\Exodus\Exodus.exe (User 'SAPServiceDAB')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Pandion.lnk = C:\Program Files\Pandion\Pandion.exe
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: NuSphere PhpED :: Debug this page - res://C:\Program Files\nusphere\phped\NuSphereIEBar.dll/1000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://mustang-il-st.../siebelhtml.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {68CDB19A-6305-4589-8C35-41E3502CD451} (Siebel Option Pack for IE 7.5.3) - http://mustang-il-st...lOptionPack.cab
O16 - DPF: {8F4F3368-54CA-4268-8225-0F4367472CF4} (MailClient Class) - http://mustang-il-st...tMailClient.cab
O16 - DPF: {C0D2212A-5EF2-44F8-9441-1DB60F128112} (Siebel Option Pack for IE 7.5.3) - http://mustang-il-st...lOptionPack.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.checkpoint.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.checkpoint.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = checkpoint.com,zonelabs.com
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe (file missing)
O23 - Service: SAPDB: .M750044 (SAP DBTech-.M750044) - MySQL MaxDB - c:\sapdb\dab\db\pgm\kernel.exe
O23 - Service: SAPDB: .M750044 (quick) (SAP DBTech-.M750044 (quick)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\quickknl.exe
O23 - Service: SAPDB: .M750044 (slow) (SAP DBTech-.M750044 (slow)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\slowknl.exe
O23 - Service: SAPDB: .M750044 (omststknl.exe) (SAP DBTech-.M750044 (test)) - Unknown owner - c:\sapdb\dab\db\pgm\omststknl.exe (file missing)
O23 - Service: SAPDB: DAB (SAP DBTech-DAB) - MySQL MaxDB - c:\sapdb\dab\db\pgm\kernel.exe
O23 - Service: SAPDB: DAB (quick) (SAP DBTech-DAB (quick)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\quickknl.exe
O23 - Service: SAPDB: DAB (slow) (SAP DBTech-DAB (slow)) - MySQL MaxDB - c:\sapdb\dab\db\pgm\slowknl.exe
O23 - Service: SAPDB: DAB (omststknl.exe) (SAP DBTech-DAB (test)) - Unknown owner - c:\sapdb\dab\db\pgm\omststknl.exe (file missing)
O23 - Service: SAPDAB_00 - SAP AG - D:\usr\sap\DAB\JC00\exe\sapstartsrv.exe
O23 - Service: SAPDAB_01 - SAP AG - D:\usr\sap\DAB\SCS01\exe\sapstartsrv.exe
O23 - Service: SAP DB WWW (SAPDBWWW) - Unknown owner - d:\sapdb\programs\web\pgm\wahttp.exe
O23 - Service: SAPDBXIE - Unknown owner - d:\sapdb\programs\web\pgm\sapdbxie.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SSO Manager Host (SSOManHost) - Imprivata, Inc. - C:\Program Files\Imprivata\SSOManHost.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XServer - MySQL MaxDB - d:\sapdb\programs\pgm\serv.exe
O23 - Service: XyLoc Security System - Unknown owner - C:\Program Files\Imprivata\XyLoc.exe

--
End of file - 11618 bytes
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to this entry below:

O2 - BHO: cj helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\IE Extensions\cj.v2.dll (file missing)


Now click on Fix Checked and then close Hijackthis.
=====================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#14
avishayil

avishayil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
First of all thank you for your convenience and patience...
Sorry, but im using public work computer... and I gotta go home soon...
It will take a long long time because its scanning network folders also...
What if I will run a scanning process using NTRtScan?
The Task Manager option is availible again and it seems like virus has been vanquished...
Is this ok to use local NTRtScan and post results here?
I still didnt canceled the Kaspersky scan...

Edited by avishayil, 09 March 2008 - 10:54 AM.

  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes that is fine and make sure to update it before scanning.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP