Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack Log- Fake Visa Verification Site [CLOSED]


  • This topic is locked This topic is locked

#16
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
ComboFix 08-06-20.4 - Michael 2008-06-28 23:45:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.283 [GMT -4:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Cume.exe
C:\dYVO.exe
C:\WINDOWS\System32\aqhvonpc.dll
C:\WINDOWS\System32\ddcYonLe.dll
C:\WINDOWS\System32\diemhsyl.dll
C:\WINDOWS\System32\elwjqyrk.dll
C:\WINDOWS\system32\feivwytj.ini
C:\WINDOWS\System32\geBqRkIx.dll
C:\WINDOWS\System32\jxjnpx.dll
C:\WINDOWS\system32\nkyyfxqj.ini
C:\WINDOWS\System32\rqRJcAQj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\5.exe
C:\Cume.exe
C:\dYVO.exe
C:\WINDOWS\system32\feivwytj.ini
C:\WINDOWS\system32\nkyyfxqj.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-28 12:56 . 2008-06-28 12:56 661,504 --a--c--- C:\Combo Fix Table of Contents.doc
2008-06-28 12:21 . 2008-06-28 12:21 <DIR> d----c--- C:\Deckard
2008-06-22 23:44 . 2008-06-22 23:45 <DIR> d-------- C:\Program Files\Panda Security
2008-06-22 12:11 . 2008-06-22 12:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-22 12:10 . 2008-06-22 18:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-22 12:10 . 2008-06-22 12:10 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\SUPERAntiSpyware.com
2008-06-22 11:34 . 2008-06-22 11:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 11:34 . 2008-06-22 11:34 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Malwarebytes
2008-06-22 11:34 . 2008-06-22 11:34 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-22 11:34 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-22 11:34 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 11:33 . 2008-06-22 11:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-22 10:39 . 2008-06-22 10:39 <DIR> d----c--- C:\VundoFix Backups
2008-06-19 00:10 . 2008-06-22 12:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 23:45 . 2008-06-18 23:45 34,520 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-18 19:42 . 2008-06-18 20:33 <DIR> d-------- C:\Program Files\WebEx
2008-06-18 19:42 . 2008-06-18 20:25 36,864 --a------ C:\Documents and Settings\Michael\atwbxdet.dll
2008-06-18 18:30 . 2008-06-18 18:30 <DIR> d-------- C:\Program Files\Bonjour
2008-06-18 17:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-18 17:48 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-18 01:13 . 2008-06-18 01:13 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Template
2008-06-18 00:26 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-18 00:26 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-18 00:26 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-18 00:26 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-18 00:26 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-18 00:25 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-18 00:25 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-18 00:25 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-18 00:25 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-17 23:40 . 2008-06-17 23:40 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-15 23:00 . 2008-06-15 23:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-15 23:00 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-15 22:59 . 2008-06-15 22:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-15 22:53 . 2008-06-15 22:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-14 01:14 . 2008-04-23 00:16 826,368 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-14 01:11 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-14 01:09 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-14 01:03 . 2008-06-15 22:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-14 01:03 . 2008-06-14 01:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-14 00:44 . 2008-06-14 00:44 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-14 00:44 . 2008-06-14 00:44 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-14 00:44 . 2008-06-14 00:44 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-14 00:07 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-06-14 00:06 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-13 21:21 . 2008-06-13 21:21 <DIR> d-------- C:\WINDOWS\provisioning
2008-06-13 21:21 . 2008-06-14 00:44 <DIR> d-------- C:\WINDOWS\peernet
2008-06-13 21:17 . 2008-06-14 00:44 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-13 21:08 . 2008-06-14 00:25 <DIR> d-------- C:\WINDOWS\EHome
2008-06-11 18:46 . 2008-06-11 18:46 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2008-06-08 19:34 . 2008-06-08 23:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 22:35 . 2008-06-01 22:35 <DIR> d-------- C:\Documents and Settings\Meredith\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 03:51 1,006,368 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-29 03:49 96,440 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-29 03:49 454,688 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-29 03:49 33,646,624 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-27 21:20 4,099,584 ----a-w C:\WINDOWS\Internet Logs\xDB58.tmp
2008-06-25 05:16 1,031,168 ----a-w C:\WINDOWS\Internet Logs\xDB57.tmp
2008-06-20 21:41 660,992 ----a-w C:\WINDOWS\Internet Logs\xDB55.tmp
2008-06-20 21:41 4,048,384 ----a-w C:\WINDOWS\Internet Logs\xDB56.tmp
2008-06-19 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 00:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-18 23:06 --------- d-----w C:\Program Files\Symantec
2008-06-18 23:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-18 23:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 22:59 --------- d-----w C:\Program Files\Microsoft Money
2008-06-18 22:40 --------- d-----w C:\Program Files\Lavasoft
2008-06-18 22:34 --------- d-----w C:\Documents and Settings\Michael\Application Data\Apple Computer
2008-06-18 05:18 3,988,992 ----a-w C:\WINDOWS\Internet Logs\xDB54.tmp
2008-06-18 00:27 3,949,056 ----a-w C:\WINDOWS\Internet Logs\xDB53.tmp
2008-06-16 11:36 3,945,472 ----a-w C:\WINDOWS\Internet Logs\xDB52.tmp
2008-06-16 03:35 --------- d-----w C:\Program Files\iTunes
2008-06-16 03:34 --------- d-----w C:\Program Files\iPod
2008-06-16 03:19 --------- d-----w C:\Program Files\Apple Software Update
2008-06-16 03:18 784,384 ----a-w C:\WINDOWS\Internet Logs\xDB51.tmp
2008-06-16 03:12 --------- d-----w C:\Program Files\QuickTime
2008-06-14 03:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-14 03:36 --------- d-----w C:\Program Files\Common Files\Real
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:40 --------- d-----w C:\Program Files\imGiant
2008-06-12 05:27 34,816 ----a-w C:\WINDOWS\Internet Logs\xDB4F.tmp
2008-06-12 05:27 3,834,880 ----a-w C:\WINDOWS\Internet Logs\xDB50.tmp
2008-06-12 04:37 193,536 ----a-w C:\WINDOWS\Internet Logs\xDB4E.tmp
2008-06-11 04:29 32,256 ----a-w C:\WINDOWS\Internet Logs\xDB4D.tmp
2008-06-11 01:20 92,160 ----a-w C:\WINDOWS\Internet Logs\xDB4C.tmp
2008-06-10 01:03 82,432 ----a-w C:\WINDOWS\Internet Logs\xDB4A.tmp
2008-06-10 01:03 3,827,712 ----a-w C:\WINDOWS\Internet Logs\xDB4B.tmp
2008-06-09 05:23 495,616 ----a-w C:\WINDOWS\Internet Logs\xDB49.tmp
2008-06-08 20:49 5,292,543 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-08 20:36 27,136 ----a-w C:\WINDOWS\Internet Logs\xDB13DB.tmp
2008-06-08 16:49 452,608 ----a-w C:\WINDOWS\Internet Logs\xDB47.tmp
2008-06-08 16:49 3,806,208 ----a-w C:\WINDOWS\Internet Logs\xDB48.tmp
2008-06-04 04:12 2,833,920 ----a-w C:\WINDOWS\Internet Logs\xDB46.tmp
2008-06-02 21:49 3,687,424 ----a-w C:\WINDOWS\Internet Logs\xDB45.tmp
2008-05-31 13:15 --------- d-----w C:\Program Files\BitComet
2008-05-30 04:13 597,504 ----a-w C:\WINDOWS\Internet Logs\xDB44.tmp
2008-05-29 02:37 --------- dc----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 02:23 16,779,761 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_28_21_13_34_full.dmp.zip
2008-05-28 19:37 556,032 ----a-w C:\WINDOWS\Internet Logs\xDB43.tmp
2008-05-28 14:08 --------- d-----w C:\Documents and Settings\Michael\Application Data\Lavasoft
2008-05-27 00:09 3,644,928 ----a-w C:\WINDOWS\Internet Logs\xDB42.tmp
2008-05-24 16:32 1,208,832 ----a-w C:\WINDOWS\Internet Logs\xDB41.tmp
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 21:25 217,600 ----a-w C:\WINDOWS\Internet Logs\xDB40.tmp
2008-05-14 21:45 1,453,056 ----a-w C:\WINDOWS\Internet Logs\xDB3F.tmp
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 22:59 --------- d-----w C:\Documents and Settings\Michael\Application Data\AdobeUM
2008-05-07 16:29 2,405,888 ----a-w C:\WINDOWS\Internet Logs\xDB3E.tmp
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-21 23:46 182,784 ----a-w C:\WINDOWS\Internet Logs\xDB3D.tmp
2008-04-20 12:48 208,896 ----a-w C:\WINDOWS\Internet Logs\xDB3C.tmp
2008-04-18 13:47 1,007,104 ----a-w C:\WINDOWS\Internet Logs\xDB3B.tmp
2008-04-17 11:51 3,614,208 ----a-w C:\WINDOWS\Internet Logs\xDB3A.tmp
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ------w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:01 3,615,232 ----a-w C:\WINDOWS\Internet Logs\xDB39.tmp
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ------w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
.

((((((((((((((((((((((((((((( [email protected]_13.48.01.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 17:37:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-29 03:50:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-28 17:37:45 447,536 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-29 03:51:00 449,692 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AB3A2C8-6237-43BE-A16F-8C48D33E4741}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{303477A6-F9AE-4ED7-8E8A-9F492B8CA82B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{554D06CB-75C0-43F4-821C-2BAF86D85124}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{671bd52f-69ad-48a9-aa33-2f8c27965290}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AC2D634-0D43-47DF-AF9F-364C2589FB7E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7EDE424-D0A6-405D-8531-1EDFCD07DEF8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC8CF027-34ED-3136-E2A9-1B6471DD4DB5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickenScheduledUpdates"="C:\Program Files\Quicken\bagent.exe" [2007-05-07 14:17 87592]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SpybotSD TeaTimer"="D:\Program Files D Drive\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 18:51 4612096]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2003-06-26 19:00 90112]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08 28672]
"WD Button Manager"="WDBtnMgr.exe" [2006-09-24 14:31 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 21:30 1191936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14 155648]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19 69632]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-03-07 15:29:50 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-09-12 111376]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 07:05:56 65588]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-09-12 51984]
PowerPanel.lnk - C:\Program Files\PowerPanel\Program\PcfMgr.exe [2003-08-07 17:45:44 872448]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-11 09:38:44 972064]
Remocon Driver.lnk - C:\Program Files\Sony\USBSircs\usbsircs.exe [2004-09-11 00:44:05 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQjjge]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=C:\WINDOWS\pss\Timer Recording Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-06-13 18:52 114688 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2002-03-14 19:46 45056 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]
--a------ 2003-03-26 21:19 45056 C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
--a------ 2003-06-23 20:32 1409024 c:\program files\support.com\client\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys [2003-03-13 17:19]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2002-08-20 15:59]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2002-06-28 21:21]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2001-07-24 13:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 21:07:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 05:33:25 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 23:52:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [580]
??\C:\WINDOWS\system32\csrss.exe [644]
??\C:\WINDOWS\system32\winlogon.exe [684]
C:\WINDOWS\system32\services.exe [740]
C:\WINDOWS\system32\lsass.exe [752]
C:\WINDOWS\system32\svchost.exe [944]
C:\WINDOWS\system32\svchost.exe [1088]
C:\WINDOWS\System32\svchost.exe [1180]
C:\WINDOWS\System32\svchost.exe [1264]
C:\WINDOWS\system32\svchost.exe [1336]
D:\Program Files D Drive\aawservice.exe [1756]
C:\WINDOWS\system32\spoolsv.exe [612]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1132]
C:\Program Files\Bonjour\mDNSResponder.exe [1164]
C:\Program Files\sony\giga pocket\shwserv.exe [1388]
C:\WINDOWS\System32\nvsvc32.exe [1540]
C:\WINDOWS\system32\CF4855.exe [1824]
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2016]
C:\WINDOWS\System32\svchost.exe [436]
C:\WINDOWS\System32\wdfmgr.exe [492]
C:\WINDOWS\system32\wuauclt.exe [2644]
C:\Program Files\Sony\giga pocket\RM_SV.exe [3400]
C:\WINDOWS\system32\wscntfy.exe [3796]
C:\Program Files\Sony\HotKey Utility\HKserv.exe [3992]
C:\WINDOWS\System32\ezSP_Px.exe [4020]
C:\WINDOWS\system32\WDBtnMgr.exe [4060]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [1044]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [296]
C:\Program Files\iTunes\iTunesHelper.exe [1592]
C:\Program Files\Quicken\bagent.exe [1452]
C:\WINDOWS\system32\ctfmon.exe [876]
C:\Program Files\Microsoft Office\Office\OSA.EXE [2116]
C:\Program Files\PowerPanel\Program\PcfMgr.exe [2120]
C:\Program Files\Sony\USBSircs\usbsircs.exe [2148]
C:\WINDOWS\System32\alg.exe [2248]
C:\Program Files\Sony\HotKey Utility\HKWnd.exe [2652]
C:\Program Files\iPod\bin\iPodService.exe [3584]
C:\WINDOWS\System32\wbem\wmiprvse.exe [1872]
C:\WINDOWS\explorer.exe [3140]
C:\ComboFix\catchme.cfexe [3416]
.
**************************************************************************
.
Completion time: 2008-06-29 0:01:39 - machine was rebooted [Michael]
ComboFix-quarantined-files.txt 2008-06-29 04:01:29
ComboFix2.txt 2008-06-28 17:48:30

Pre-Run: 1,137,086,464 bytes free
Post-Run: 1,123,409,920 bytes free

347 --- E O F --- 2008-06-25 01:08:20

-----------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:08 AM, on 6/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files D Drive\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Sony\USBSircs\usbsircs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files D Drive\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MICHAEL\Application Data\Mozilla\Profiles\default\s3h4x0tm.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files D Drive\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ChatSpace Java Client 4.0.0.325 - http://chat.scout.co...va/cms40325.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} (myax Control) - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213760249984
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mindbodyonli...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B862B6-8450-4D45-8B32-78FC1B919154}: NameServer = 209.137.160.7,209.137.171.10
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files D Drive\Quickbooks PRO2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files D Drive\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Perssv - Primax Electronics Ltd. - (no file)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11359 bytes
  • 0

Advertisements


#17
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. Please do the following....


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Michael\Start Menu\Programs\Startup\PowerReg Scheduler.exe
    C:\WINDOWS\Internet Logs\xDB??.tmp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0AB3A2C8-6237-43BE-A16F-8C48D33E4741}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{303477A6-F9AE-4ED7-8E8A-9F492B8CA82B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{554D06CB-75C0-43F4-821C-2BAF86D85124}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{671bd52f-69ad-48a9-aa33-2f8c27965290}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6AC2D634-0D43-47DF-AF9F-364C2589FB7E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7EDE424-D0A6-405D-8531-1EDFCD07DEF8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8CF027-34ED-3136-E2A9-1B6471DD4DB5}
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQjjge
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


I noticed that you already have Malwarebytes' Anti-Malware.. Please run and update it..
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.





Please post the following logs in your next reply.. Post each log in separate post..

1. OTMoveIt2
2. Malwarebytes'
3. A fresh Deckard System Scanner log (after Malwarebytes' step)
4. Tell me about your computer behaviour..



Regards
fenzodahl512
  • 0

#18
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Explorer killed successfully
C:\Documents and Settings\Michael\Start Menu\Programs\Startup\PowerReg Scheduler.exe moved successfully.
< C:\WINDOWS\Internet Logs\xDB??.tmp >
C:\WINDOWS\Internet Logs\xDB1.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB10.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB11.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB12.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB13.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB14.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB15.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB16.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB17.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB18.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB19.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB1A.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB1B.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB1C.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB1D.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB1E.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB1F.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB20.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB21.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB22.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB23.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB24.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB25.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB26.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB27.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB28.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB29.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2A.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2B.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2C.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2D.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2E.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2F.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB30.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB31.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB32.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB33.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB34.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB35.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB36.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB37.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB38.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB39.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3A.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3B.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3C.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3D.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3E.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3F.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB40.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB41.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB42.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB43.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB44.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB45.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB46.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB47.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB48.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB49.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4A.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4B.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4C.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4D.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4E.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4F.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB5.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB50.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB51.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB52.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB53.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB54.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB55.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB56.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB57.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB58.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB6.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB7.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB8.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB9.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDBA.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDBB.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDBC.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDBD.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDBE.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDBF.tmp moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0AB3A2C8-6237-43BE-A16F-8C48D33E4741} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0AB3A2C8-6237-43BE-A16F-8C48D33E4741}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{303477A6-F9AE-4ED7-8E8A-9F492B8CA82B} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{303477A6-F9AE-4ED7-8E8A-9F492B8CA82B}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{554D06CB-75C0-43F4-821C-2BAF86D85124} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{554D06CB-75C0-43F4-821C-2BAF86D85124}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{671bd52f-69ad-48a9-aa33-2f8c27965290} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{671bd52f-69ad-48a9-aa33-2f8c27965290}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6AC2D634-0D43-47DF-AF9F-364C2589FB7E} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6AC2D634-0D43-47DF-AF9F-364C2589FB7E}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7EDE424-D0A6-405D-8531-1EDFCD07DEF8} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7EDE424-D0A6-405D-8531-1EDFCD07DEF8}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8CF027-34ED-3136-E2A9-1B6471DD4DB5} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8CF027-34ED-3136-E2A9-1B6471DD4DB5}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQjjge >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQjjge\\ deleted successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Michael\LOCALS~1\Temp\~DF8888.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\bca4e2da.$$$ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\fa56d7ec.$$$ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0588a.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06ba8.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06292008_021203

Files moved on Reboot...
C:\DOCUME~1\Michael\LOCALS~1\Temp\~DF8888.tmp moved successfully.
File move failed. C:\WINDOWS\temp\bca4e2da.$$$ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\fa56d7ec.$$$ scheduled to be moved on reboot.
C:\WINDOWS\temp\ZLT0588a.TMP moved successfully.
C:\WINDOWS\temp\ZLT06ba8.TMP moved successfully.
  • 0

#19
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Malwarebytes' Anti-Malware 1.19
Database version: 901
Windows 5.1.2600 Service Pack 3

3:45:35 AM 6/29/2008
mbam-log-6-29-2008 (03-45-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 107992
Time elapsed: 1 hour(s), 14 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#20
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Deckard's System Scanner v20071014.68
Run by Michael on 2008-06-29 03:47:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 1.11 GiB (less than 15%) free.


-- HijackThis (run as Michael.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:11 AM, on 6/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files D Drive\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael\Desktop\dss.exe
D:\PROGRA~1\Michael.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MICHAEL\Application Data\Mozilla\Profiles\default\s3h4x0tm.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0AB3A2C8-6237-43BE-A16F-8C48D33E4741} - (no file)
O2 - BHO: (no name) - {303477A6-F9AE-4ED7-8E8A-9F492B8CA82B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {554D06CB-75C0-43F4-821C-2BAF86D85124} - (no file)
O2 - BHO: (no name) - {671bd52f-69ad-48a9-aa33-2f8c27965290} - (no file)
O2 - BHO: (no name) - {6AC2D634-0D43-47DF-AF9F-364C2589FB7E} - (no file)
O2 - BHO: (no name) - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - (no file)
O2 - BHO: (no name) - {F7EDE424-D0A6-405D-8531-1EDFCD07DEF8} - (no file)
O2 - BHO: (no name) - {FC8CF027-34ED-3136-E2A9-1B6471DD4DB5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files D Drive\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ChatSpace Java Client 4.0.0.325 - http://chat.scout.co...va/cms40325.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....42037/sb02a.cab
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} (myax Control) - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213760249984
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mindbodyonli...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B862B6-8450-4D45-8B32-78FC1B919154}: NameServer = 209.137.160.7,209.137.171.10
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files D Drive\Quickbooks PRO2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: ssqQjjge - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files D Drive\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Perssv - Primax Electronics Ltd. - (no file)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11909 bytes

-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-28 23:36:58 0 d------c- C:\cmdcons
2008-06-28 13:29:23 68096 --a------ C:\WINDOWS\zip.exe
2008-06-28 13:29:23 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-28 13:29:23 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-28 13:29:23 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-28 13:29:23 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-28 13:29:23 98816 --a------ C:\WINDOWS\sed.exe
2008-06-28 13:29:23 80412 --a------ C:\WINDOWS\grep.exe
2008-06-28 13:29:23 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-22 23:44:25 0 d-------- C:\Program Files\Panda Security
2008-06-22 12:11:09 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-22 12:10:35 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-22 12:10:35 0 d-------- C:\Documents and Settings\Michael\Application Data\SUPERAntiSpyware.com
2008-06-22 11:34:24 0 d-------- C:\Documents and Settings\Michael\Application Data\Malwarebytes
2008-06-22 11:34:09 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-22 11:34:05 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 11:33:06 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-22 10:39:53 0 d------c- C:\VundoFix Backups
2008-06-19 00:10:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 23:45:26 34520 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-18 19:42:03 0 d-------- C:\Program Files\WebEx
2008-06-18 19:42:02 36864 --a------ C:\Documents and Settings\Michael\atwbxdet.dll <Not Verified; ; atwbxdet Module>
2008-06-18 18:30:22 0 d-------- C:\Program Files\Bonjour
2008-06-18 01:13:18 0 d-------- C:\Documents and Settings\Michael\Application Data\Template
2008-06-17 23:40:40 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-15 23:00:56 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-15 22:59:57 0 d-------- C:\Program Files\Common Files\Apple
2008-06-15 22:53:32 0 d------c- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-14 08:55:55 0 d-------- C:\WINDOWS\pss
2008-06-14 00:58:37 0 d-------- C:\WINDOWS\Prefetch
2008-06-14 00:44:15 0 d-------- C:\WINDOWS\system32\scripting
2008-06-14 00:44:08 0 d-------- C:\WINDOWS\l2schemas
2008-06-14 00:44:07 0 d-------- C:\WINDOWS\system32\en
2008-06-14 00:35:16 0 d-------- C:\WINDOWS\network diagnostic
2008-06-13 21:21:57 0 d-------- C:\WINDOWS\peernet
2008-06-13 21:21:53 0 d-------- C:\WINDOWS\provisioning
2008-06-13 21:17:42 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-13 21:08:10 0 d-------- C:\WINDOWS\EHome
2008-06-11 18:46:15 51304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2008-06-08 19:34:47 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 08:40:36 0 d------c- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-01 22:35:02 0 d-------- C:\Documents and Settings\Meredith\Application Data\AdobeUM


-- Find3M Report ---------------------------------------------------------------

2008-06-24 18:13:36 0 d-------- C:\Documents and Settings\Michael\Application Data\Mozilla
2008-06-22 11:33:06 0 d-------- C:\Program Files\Common Files
2008-06-18 20:53:23 0 d-------- C:\Program Files\Windows NT
2008-06-18 19:06:03 0 d-------- C:\Program Files\Symantec
2008-06-18 19:05:47 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-18 19:04:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-18 18:59:16 0 d-------- C:\Program Files\Microsoft Money
2008-06-18 18:40:07 0 d-------- C:\Program Files\Lavasoft
2008-06-18 18:34:58 0 d-------- C:\Documents and Settings\Michael\Application Data\Apple Computer
2008-06-15 23:35:48 0 d-------- C:\Program Files\iTunes
2008-06-15 23:34:51 0 d-------- C:\Program Files\iPod
2008-06-15 23:19:36 0 d-------- C:\Program Files\Apple Software Update
2008-06-15 23:12:10 0 d-------- C:\Program Files\QuickTime
2008-06-14 01:08:04 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-14 00:44:56 0 d-------- C:\Program Files\Messenger
2008-06-14 00:44:06 0 d-------- C:\Program Files\Movie Maker
2008-06-13 23:42:05 0 d-------- C:\Documents and Settings\Michael\Application Data\Adobe
2008-06-13 23:41:53 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-13 23:36:36 0 d-------- C:\Program Files\Common Files\Real
2008-06-13 23:36:18 0 d-------- C:\Documents and Settings\Michael\Application Data\Real
2008-06-12 18:40:08 0 d-------- C:\Program Files\imGiant
2008-05-31 09:15:55 0 d-------- C:\Program Files\BitComet
2008-05-28 10:08:20 0 d-------- C:\Documents and Settings\Michael\Application Data\Lavasoft
2008-05-07 18:59:38 0 d-------- C:\Documents and Settings\Michael\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AB3A2C8-6237-43BE-A16F-8C48D33E4741}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{303477A6-F9AE-4ED7-8E8A-9F492B8CA82B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{554D06CB-75C0-43F4-821C-2BAF86D85124}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{671bd52f-69ad-48a9-aa33-2f8c27965290}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AC2D634-0D43-47DF-AF9F-364C2589FB7E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7EDE424-D0A6-405D-8531-1EDFCD07DEF8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC8CF027-34ED-3136-E2A9-1B6471DD4DB5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [05/02/2003 06:51 PM]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [06/26/2003 07:00 PM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 01:29 PM]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [04/20/2003 01:08 AM]
"WD Button Manager"="WDBtnMgr.exe" [09/24/2006 02:31 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [03/21/2006 09:30 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/30/2003 01:14 AM]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [03/21/2006 02:19 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/14/2008 12:11 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickenScheduledUpdates"="C:\Program Files\Quicken\bagent.exe" [05/07/2007 02:17 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"SpybotSD TeaTimer"="D:\Program Files D Drive\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [9/12/1997]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 7:05:56 AM]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [9/12/1997]
PowerPanel.lnk - C:\Program Files\PowerPanel\Program\PcfMgr.exe [8/7/2003 5:45:44 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [9/11/2007 9:38:44 AM]
Remocon Driver.lnk - C:\Program Files\Sony\USBSircs\usbsircs.exe [9/11/2004 12:44:05 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQjjge]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=C:\WINDOWS\pss\Timer Recording Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
"c:\program files\support.com\client\bin\tgcmd.exe" /server

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-06-29 03:53:24 ------------
  • 0

#21
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I'm still having the same problems. What do you think it is? How big of a risk is it?

My biggest concern is the fake Visa verification pop-up that is attempting to capture my credit card info.

Also I still had to enter my password twice into hotmail and the delete button isn't working in internet explorer.
  • 0

#22
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Erm.. It seems the nasties are back..

Can you give me the screenshot of the pop-ups?


Anything involves online banking is extremely high-risk..

I suggest you do the following IMMEDIATELY:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear[/b]


But first, please give me the screenshot... Thank you :)
  • 0

#23
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I had difficulty getting a screenshot, but I was able to attach a gif file. You will need to zoom in to read it. The bottom of the screen is cutoff. Normally my credit card number will be populated in the field. The exp date will be incorrect and most of the other fields will be blank. Transactions will not go thru unless you populate all of the info and hit the submit button or you close out the pop-up window.

The pop-up only is occuring in IE7 so I've been using Firefox instead, but I need to use IE7 for certain things. Do you think I'm safe to use Firefox until this issue is resolved?

Any thoughts? Any tips on getting a screenshot?

Attached Thumbnails

  • 555.gif

  • 0

#24
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, your screenshot is too small.. I can't read it..


When the pop-up appears again, please do the following...

Press Prnt Scrn button.. And then go to Start >> Run >> Copy/paste below >> Press Enter

mspaint.exe


Then at Paint, click on Edit >> Paste... Save it as JPEG file and attached it here..





NEXT


I will need you to disable the following programs prior to our fix.. Please re-enable them back after performing all steps given...

1. Lavasoft Ad-Aware
2. ZoneAlarm
3. Spybot - Search & Destroy

Please visit HERE for further instructions..





NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0AB3A2C8-6237-43BE-A16F-8C48D33E4741} - (no file)
O2 - BHO: (no name) - {303477A6-F9AE-4ED7-8E8A-9F492B8CA82B} - (no file)
O2 - BHO: (no name) - {554D06CB-75C0-43F4-821C-2BAF86D85124} - (no file)
O2 - BHO: (no name) - {671bd52f-69ad-48a9-aa33-2f8c27965290} - (no file)
O2 - BHO: (no name) - {6AC2D634-0D43-47DF-AF9F-364C2589FB7E} - (no file)
O2 - BHO: (no name) - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - (no file)
O2 - BHO: (no name) - {F7EDE424-D0A6-405D-8531-1EDFCD07DEF8} - (no file)
O2 - BHO: (no name) - {FC8CF027-34ED-3136-E2A9-1B6471DD4DB5} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: ssqQjjge - C:\WINDOWS\


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download Dr.Web CureIt to the Desktop:
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.



Please post the following logs in your next reply.. As usual, post each log in separate post...

1. Dr.Web
2. A fresh Deckard System Scanner (after Dr.Web step)
3. Another screenie of the pop-ups..



Regards
fenzodahl512
  • 0

#25
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I'm working on it. I have a concern with posting a screenshot with my credit card # on it. Is there a way to remove my credit card# prior to posting the screenshot?
  • 0

Advertisements


#26
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

I'm working on it. I have a concern with posting a screenshot with my credit card # on it. Is there a way to remove my credit card# prior to posting the screenshot?


Well.. you can erase it through Paint program of course :)
  • 0

#27
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Update - Thanks for the tip regarding the paint program.

I think the Hijack delete files step took.

I'm running Dr CureIt, but is taking awhile. Wanted to let you know it identified something called Backdoor.Maosboot in the process memory.

During the full system scan it has identified a few items. It identified a file in Spybot S&D, the malware bytes executable, and the combofix exe and removed it from my desktop. Does that make sense?

I'll post the logs you requested as soon as it is finished.

Thanks for all of your help. I really appreciate it :)
  • 0

#28
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Update - Thanks for the tip regarding the paint program.

I think the Hijack delete files step took.

I'm running Dr CureIt, but is taking awhile. Wanted to let you know it identified something called Backdoor.Maosboot in the process memory.

During the full system scan it has identified a few items. It identified a file in Spybot S&D, the malware bytes executable, and the combofix exe and removed it from my desktop. Does that make sense?

I'll post the logs you requested as soon as it is finished.

Thanks for all of your help. I really appreciate it :)



Don't worry.. Its false positive... But your computer is definitely not safe for online banking...

Will wait for your log.. Err.. maybe I just can continue it tomorrow... Almost 2am in Malaysia :)

Edited by fenzodahl512, 29 June 2008 - 11:55 AM.

  • 0

#29
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Wow ....2am you're pretty dedicated. You must be making the big bucks :)

I'll post the logs as soon as they are finished. When do you think you'll be back online?

I want to make sure I get back online when you do. I'm guessing it will be in the morning in Malaysia and in the evening in the east cost in the US.

In all seriousness, is there a donation section on this website?

BTW - I'm starting to get a number of hits with the system volume section of the scan.
  • 0

#30
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Dr Cure IT log:

It looks like it got rid of the combo fix program. Should I reinstall it?



Process in memory: C:\WINDOWS\system32\services.exe:804;;BackDoor.MaosBoot;Eradicated.;
RegUBP2b-Michael.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\Michael\Desktop\ComboFix.exe;Probably SCRIPT.Virus;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Michael\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Michael\Desktop;Archive contains infected objects;Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Incurable.Moved.;
mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0173189.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP934;Trojan.StartPage.1505;Deleted.;
A0175164.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP934;Trojan.StartPage.1505;Deleted.;
A0176161.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP935;Trojan.StartPage.1505;Deleted.;
A0176233.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP935;Trojan.StartPage.1505;Deleted.;
A0177236.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP935;Trojan.StartPage.1505;Deleted.;
A0177349.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP937;Trojan.StartPage.1505;Deleted.;
A0177372.EXE;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP937;Program.PsExec.170;Incurable.Moved.;
A0177396.bat;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP937;Probably SCRIPT.Virus;Incurable.Moved.;
A0178347.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP937;Trojan.StartPage.1505;Deleted.;
A0178418.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP937;Trojan.StartPage.1505;Deleted.;
A0179430.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP938;Trojan.StartPage.1505;Deleted.;
A0179459.bat;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP938;Probably SCRIPT.Virus;Incurable.Moved.;
A0179541.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939;Trojan.StartPage.1505;Deleted.;
A0179563.EXE;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939;Program.PsExec.170;Incurable.Moved.;
A0179572.bat;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939;Probably SCRIPT.Virus;Incurable.Moved.;
A0180540.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939;Trojan.StartPage.1505;Deleted.;
A0180622.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939;Trojan.StartPage.1505;Deleted.;
A0181707.reg;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939;Trojan.StartPage.1505;Deleted.;
A0181746.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939\A0181746.exe;Probably SCRIPT.Virus;;
A0181746.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939\A0181746.exe;Program.PsExec.171;;
A0181746.exe;C:\System Volume Information\_restore{A856ED90-CE79-4D4B-A898-2BAD8DB72982}\RP939;Archive contains infected objects;Moved.;
HTpatch.exe;C:\WINDOWS\Drivers\Chipset\AGP\htpatch;Tool.Htpatch;Incurable.Moved.;
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP