Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Scprot4.exe


  • Please log in to reply
9 replies to this topic

#1 Grantastic

Grantastic

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:05:25 PM

Posted 12 December 2007 - 09:07 PM

Ok so I've done all the scanning. I've scanned my computer with the following: Spybot - Search & Destroy, McAfee AVERT Stinger, Ad-Aware SE, Housecall Anti Virus, and a few more. Last, I scanned my computer with Windows Defender and the program said my computer is running normally, which proves that that program is a piece of crap because I definitely know it is NOT.

So here's my story:

There are 4 user account on my computer (1 admin (the main admin), another admin (I guess this one has "limited" admin privileges) and 2 limited). So I get the virus on the "limited" admin account. I find out that I have the virus when these icons start popping up. So I log onto the real admin and start using the scanners. I was able to delete Malware Alarm but the program "scprot4.exe" is unable to be deleted, even with the main admin account! The next morning I find that the 2 limited user accounts and the "limited" admin account have unchangeable blue desktop backgrounds but the main admin is fine. Why? Is it because I swept out stuff while I was logged on the main admin. Anyways, all accounts have the "Windows Security Alert" problem (that thing in the system tray that tells you that you need to turn on firewall and all that). As it turns out, there was another one just like it but I knew it was a trick because on the bottom left corner it said "Uninstall." I figured this was part of the "Malware Alarm" program and I was able to wipe that out with one of my scans :thumbsup:.

Well, I hope my story is detailed enough! Here's my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:25 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\OLYMPUS\m-trip\Bin\m-tripLauncher.exe
C:\Interwise\Student\pull.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\MrobeService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: XBTP01621 Class - {9EBBE90B-282E-4c39-8A7E-120749169F0F} - C:\PROGRA~1\BEARSH~2\MediaBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: BearShare MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\BearShare MediaBar\MediaBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Grant's Stuff\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [arqtqjij] rundll32.exe "C:\Program Files\arqtqjij\kjsdmlsv.dll",Init
O4 - HKLM\..\Run: [qbefczyd] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qbefczyd.dll"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win199.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [pczutila] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pczutila.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: m-trip Launcher.lnk = ?
O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...lante_load.html
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\system32\MrobeService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TVTA Manager - Unknown owner - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 13867 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 24 December 2007 - 10:24 AM

Grantastic

Sorry for the delay

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 Grantastic

Grantastic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:05:25 PM

Posted 27 December 2007 - 08:47 PM

ComboFix 07-12-28.1 - Marcellinus Mailo 2007-12-27 18:30:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.340 [GMT -7:00]
Running from: C:\Documents and Settings\Marcellinus Mailo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Grant Mailo\Application Data\wsnpoem
C:\Documents and Settings\Grant Mailo\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\Grant Mailo\Application Data\wsnpoem\audio.dll.cla
C:\Documents and Settings\Grant Mailo\Application Data\wsnpoem\video.dll
C:\Documents and Settings\Marcellinus Mailo\Application Data\inst.exe
C:\Documents and Settings\Olive Mailo\Application Data\ASKS~1
C:\Documents and Settings\Olive Mailo\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Olive Mailo\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\smbols~1\s?mbols\
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Cache\00249684.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Cache\002AFAFD.swf
C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini
C:\Program Files\FunWebProducts\ScreenSaver\Images\00224706.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\0024958A.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\0024A9FC.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\002B2CEA.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\002F7CCC.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\00307B9F.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\00349108.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\0024A9FC.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\00349108.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\Helper
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\00090AA2
C:\Program Files\MyWebSearch\bar\Cache\0021BDD1.bin
C:\Program Files\MyWebSearch\bar\Cache\0021C1B9.bin
C:\Program Files\MyWebSearch\bar\Cache\0021DFD0.bin
C:\Program Files\MyWebSearch\bar\Cache\0021EFCE.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\sembly~1
C:\WINDOWS\setup.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\6_exception.nls
C:\WINDOWS\system32\drivers\smtpdrv.sys
C:\WINDOWS\system32\drivers\Uot48.sys
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\Temp\125156.exe
C:\WINDOWS\Temp\237953.exe
C:\WINDOWS\system32\wsnpoem

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\LEGACY_UOT48
-------\nm
-------\runtime
-------\smtpdrv
-------\Uot48
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 17:57 . 2007-12-27 17:57 42,496 --a------ C:\41.tmp
2007-12-27 17:57 . 2007-12-27 17:57 2 --a------ C:\42.tmp
2007-12-27 16:19 . 2007-12-27 16:19 42,496 --a------ C:\3D.tmp
2007-12-27 16:19 . 2007-12-27 16:19 2 --a------ C:\40.tmp
2007-12-27 12:34 . 2007-12-27 12:34 42,496 --a------ C:\3C.tmp
2007-12-27 12:34 . 2007-12-27 12:34 2 --a------ C:\3B.tmp
2007-12-27 06:23 . 2007-12-27 06:23 42,496 --a------ C:\3E.tmp
2007-12-27 06:23 . 2007-12-27 06:23 2 --a------ C:\3F.tmp
2007-12-27 06:17 . 2007-12-27 06:17 0 --a------ C:\1C.tmp
2007-12-27 06:17 . 2007-12-27 06:17 0 --a------ C:\1B.tmp
2007-12-27 06:17 . 2007-12-27 06:17 0 --a------ C:\1A.tmp
2007-12-27 06:17 . 2007-12-27 06:17 0 --a------ C:\19.tmp
2007-12-27 06:17 . 2007-12-27 06:17 0 --a------ C:\18.tmp
2007-12-27 06:17 . 2007-12-27 06:17 0 --a------ C:\17.tmp
2007-12-27 06:16 . 2007-12-27 06:16 0 --a------ C:\16.tmp
2007-12-27 06:16 . 2007-12-27 06:16 0 --a------ C:\15.tmp
2007-12-27 06:16 . 2007-12-27 06:16 0 --a------ C:\14.tmp
2007-12-27 06:16 . 2007-12-27 06:16 0 --a------ C:\13.tmp
2007-12-27 01:02 . 2007-12-27 01:02 0 --a------ C:\6.tmp
2007-12-27 01:02 . 2007-12-27 01:02 0 --a------ C:\5.tmp
2007-12-27 01:02 . 2007-12-27 01:02 0 --a------ C:\4.tmp
2007-12-27 01:02 . 2007-12-27 01:02 0 --a------ C:\1.tmp
2007-12-26 17:00 . 2007-12-26 17:00 42,496 --a------ C:\5A.tmp
2007-12-26 17:00 . 2007-12-26 17:00 2 --a------ C:\5D.tmp
2007-12-26 09:50 . 2007-12-26 09:53 42,496 --a------ C:\5B.tmp
2007-12-26 09:50 . 2007-12-26 09:53 2 --a------ C:\5C.tmp
2007-12-26 09:49 . 2007-12-26 09:49 42,496 --a------ C:\58.tmp
2007-12-26 09:49 . 2007-12-26 09:50 42,496 --a------ C:\56.tmp
2007-12-26 09:49 . 2007-12-26 09:49 2 --a------ C:\59.tmp
2007-12-26 09:49 . 2007-12-26 09:49 2 --a------ C:\57.tmp
2007-12-26 08:58 . 2007-12-26 08:58 410,437 --a------ C:\bgfile(2007, 12, 26, 8, 58, 58, 2, 360, 0).bmp
2007-12-26 08:52 . 2007-12-26 08:52 42,496 --a------ C:\2.tmp
2007-12-26 08:52 . 2007-12-26 08:52 2 --a------ C:\3.tmp
2007-12-21 17:05 . 2007-12-21 17:05 <DIR> d-------- C:\Documents and Settings\Grant Mailo\Application Data\Talkback
2007-12-19 21:25 . 2007-12-27 18:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 21:25 . 2007-12-19 21:25 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 22:07 . 2007-12-27 18:40 21,760 --a------ C:\WINDOWS\Uot48.sys
2007-12-17 13:33 . 2007-12-17 13:33 <DIR> d-------- C:\Deacon's Role
2007-12-16 16:51 . 2007-12-27 01:10 52,736 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2007-12-14 13:51 . 2007-12-17 12:39 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Shared
2007-12-14 13:51 . 2007-12-17 12:39 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Incomplete
2007-12-14 13:51 . 2007-12-17 09:52 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\LimeWire
2007-12-13 20:42 . 2007-12-13 20:42 <DIR> d-------- C:\Program Files\MathType
2007-12-13 20:42 . 2007-12-13 20:42 <DIR> d-------- C:\Documents and Settings\Olive Mailo\Application Data\Design Science
2007-12-12 18:30 . 2007-12-12 18:30 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-12 17:49 . 2007-12-12 17:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-12 04:12 . 2004-08-10 05:00 29,056 --a--c--- C:\WINDOWS\system32\dllcache\ip6fw.sys
2007-12-12 03:11 . 2007-12-12 04:28 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\SUPERAntiSpyware.com
2007-12-12 03:02 . 2007-12-12 03:02 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-12 02:59 . 2007-12-12 02:59 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-11 19:37 . 2007-12-12 04:15 <DIR> d-------- C:\Program Files\Mvdzjtcp
2007-12-11 19:28 . 2007-12-11 19:28 <DIR> d-------- C:\WINDOWS\system32\hlvbfwoq
2007-12-11 19:28 . 2007-12-11 19:28 57,856 --a------ C:\pgdxf.exe
2007-12-11 19:28 . 2007-12-11 19:28 19,968 --a------ C:\opnvmwvi.exe
2007-12-11 19:28 . 2007-12-11 19:28 2 --a------ C:\-463259569
2007-12-11 19:27 . 2007-12-11 19:28 1,154,709 --a------ C:\Install
2007-12-10 21:44 . 2007-12-11 19:39 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-10 10:08 . 2007-12-10 10:08 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-12-05 08:16 . 2007-12-05 08:17 <DIR> d-------- C:\ChristmasPlay
2007-12-05 08:15 . 2007-12-05 08:15 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\Template
2007-12-04 21:14 . 2007-12-04 21:14 <DIR> d-------- C:\Documents and Settings\Olive Mailo\Application Data\CyberLink
2007-12-04 09:02 . 2007-12-04 09:02 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2007-12-04 09:02 . 2007-12-04 09:03 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\Vso
2007-12-04 09:02 . 2007-12-04 09:02 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-04 09:02 . 2007-12-04 09:02 47,360 --a------ C:\Documents and Settings\Marcellinus Mailo\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 00:02 --------- d-----w C:\Documents and Settings\Grant Mailo\Application Data\LimeWire
2007-12-17 01:46 --------- d-----w C:\Program Files\LimeWire
2007-12-13 01:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 02:53 --------- d-----w C:\Program Files\Microsoft Works
2007-12-08 21:59 --------- d-----w C:\Documents and Settings\Olive Mailo\Application Data\uTorrent
2007-12-06 20:05 242 ----a-w C:\Documents and Settings\Marcellinus Mailo\Application Data\wklnhst.dat
2007-12-06 17:06 --------- d-----w C:\Program Files\e-Sword
2007-11-28 14:37 --------- d-----w C:\Program Files\Java
2007-11-17 01:40 --------- d-----w C:\Program Files\Zune
2007-11-17 01:39 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-16 04:38 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-06 18:33 --------- d-----w C:\Program Files\iTunes
2007-11-06 18:33 --------- d-----w C:\Program Files\iPod
2007-11-06 18:32 --------- d-----w C:\Program Files\QuickTime
2007-10-28 07:02 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-28 07:02 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-10-28 04:00 --------- d-----w C:\Documents and Settings\Olive Mailo\Application Data\Media Player Classic
2007-04-05 00:29 374 ----a-w C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb6334.dat
2007-04-05 00:06 18,432 ----a-w C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb41.dat
2007-04-04 22:28 538 ----a-w C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb8467.dat
2007-01-06 04:43 299 ----a-w C:\Documents and Settings\Olive Mailo\Application Data\internaldb1942.dat
2004-08-10 12:00 465,920 ----a-r C:\Documents and Settings\Grant Mailo\Application Data\ntos.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 19:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 21:10]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 05:00 C:\WINDOWS\system32\rundll32.exe]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 13:00]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 15:32 C:\WINDOWS\ALCWZRD.EXE]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 22:21]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-04 09:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-15 21:51]
"Local Security Authority Service"="C:\WINDOWS\system32\Isass.exe" []
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 22:21]

C:\Documents and Settings\Olive Mailo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-06-21 07:58:33]

C:\Documents and Settings\Grant Mailo\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-06-21 07:58:33]

C:\Documents and Settings\Marcellinus Mailo\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-02-04 14:01:37]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-03 22:21:28]
m-trip Launcher.lnk - C:\Program Files\OLYMPUS\m-trip\Bin\m-tripLauncher.exe [2007-02-07 20:58:06]
Push Client.LNK - C:\Interwise\Student\pull.exe [2006-11-08 05:31:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [2006-08-24 20:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winosz32]
winosz32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-03-09 10:29 139264 --a--c--- C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
2003-04-19 21:08 28672 --a--c--- C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-19 21:08 28672 --a--c--- C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe /Stationary

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2004-08-19 17:07 331776 --a------ c:\program files\sony\vaio survey\surveysa.exe

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S2 AdobeActiveFileMonitor;AdobeActiveFileMonitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe []
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2007-12-27 01:29]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2007-12-27 01:10]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c48f5f0-2ec7-11dc-b6f0-0013d42416c8}]
\Shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{672a76a2-4e74-11dc-b7bc-0013d42416c8}]
\shell\Setup\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e0812a5-3d28-11dc-b76c-0013d42416c8}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddbb0dc2-3cbd-11dc-b76b-0013d42416c8}]
\Shell\AutoRun\command - K:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 18:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-12-28 01:44:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 18:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 18:45:54 - machine was rebooted
.
2007-12-21 12:57:30 --- E O F ---

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 28 December 2007 - 08:59 AM

Grantastic

Before we continue, you have a couple of suspicious files I would like to look at.

Please go HERE

Put Your Name, and Bleeping Computer HJT forum

and In the file to submit box, click Browse.Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the files (One in each box)C:\Install
C:\56.tmp

In the comments tell them that I asked you to upload the file
Then Select Send File.
Posted Image
Microsoft MVP - Windows Security

#5 Grantastic

Grantastic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:05:25 PM

Posted 29 December 2007 - 11:13 PM

I have submitted the files.

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 30 December 2007 - 01:07 PM

Grantastic

I got the files they are bad.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File::
C:\41.tmp
C:\42.tmp
C:\3D.tmp
C:\40.tmp
C:\3C.tmp
C:\3B.tmp
C:\3E.tmp
C:\3F.tmp
C:\1C.tmp
C:\1B.tmp
C:\1A.tmp
C:\19.tmp
C:\18.tmp
C:\17.tmp
C:\16.tmp
C:\15.tmp
C:\14.tmp
C:\13.tmp
C:\6.tmp
C:\5.tmp
C:\4.tmp
C:\1.tmp
C:\5A.tmp
C:\5D.tmp
C:\5B.tmp
C:\5C.tmp
C:\58.tmp
C:\56.tmp
C:\59.tmp
C:\57.tmp
C:\2.tmp
C:\3.tmp
C:\pgdxf.exe
C:\opnvmwvi.exe
C:\-463259569
C:\Install
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb6334.dat
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb41.dat
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb8467.dat
C:\Documents and Settings\Olive Mailo\Application Data\internaldb1942.dat
C:\Documents and Settings\Grant Mailo\Application Data\ntos.exe

Folder::
C:\Program Files\Mvdzjtcp
C:\WINDOWS\system32\hlvbfwoq

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Local Security Authority Service"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winosz32]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Run Hijackthis and post a fresh Hiajckthis log as well
Posted Image
Microsoft MVP - Windows Security

#7 Grantastic

Grantastic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:05:25 PM

Posted 30 December 2007 - 08:51 PM

First is the ComboFix log. Second is the HiJackThis log. There is a big gap between the two.

ComboFix 07-12-28.1 - Marcellinus Mailo 2007-12-30 18:33:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.528 [GMT -7:00]
Running from: C:\Documents and Settings\Marcellinus Mailo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marcellinus Mailo\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\-463259569
C:\1.tmp
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\2.tmp
C:\3.tmp
C:\3B.tmp
C:\3C.tmp
C:\3D.tmp
C:\3E.tmp
C:\3F.tmp
C:\4.tmp
C:\40.tmp
C:\41.tmp
C:\42.tmp
C:\5.tmp
C:\56.tmp
C:\57.tmp
C:\58.tmp
C:\59.tmp
C:\5A.tmp
C:\5B.tmp
C:\5C.tmp
C:\5D.tmp
C:\6.tmp
C:\Documents and Settings\Grant Mailo\Application Data\ntos.exe
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb41.dat
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb6334.dat
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb8467.dat
C:\Documents and Settings\Olive Mailo\Application Data\internaldb1942.dat
C:\Install
C:\opnvmwvi.exe
C:\pgdxf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-463259569
C:\1.tmp
C:\13.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\2.tmp
C:\3.tmp
C:\3B.tmp
C:\3C.tmp
C:\3D.tmp
C:\3E.tmp
C:\3F.tmp
C:\4.tmp
C:\40.tmp
C:\41.tmp
C:\42.tmp
C:\5.tmp
C:\56.tmp
C:\57.tmp
C:\58.tmp
C:\59.tmp
C:\5A.tmp
C:\5B.tmp
C:\5C.tmp
C:\5D.tmp
C:\6.tmp
C:\Documents and Settings\Grant Mailo\Application Data\ntos.exe
C:\Documents and Settings\Grant Mailo\Application Data\wsnpoem
C:\Documents and Settings\Grant Mailo\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\Grant Mailo\Application Data\wsnpoem\video.dll
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb41.dat
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb6334.dat
C:\Documents and Settings\Marcellinus Mailo\Application Data\internaldb8467.dat
C:\Documents and Settings\Olive Mailo\Application Data\internaldb1942.dat
C:\Install
C:\opnvmwvi.exe
C:\pgdxf.exe
C:\Program Files\Mvdzjtcp
C:\WINDOWS\system32\hlvbfwoq
C:\WINDOWS\system32\hlvbfwoq\bg1.gif
C:\WINDOWS\system32\hlvbfwoq\bgtop.gif
C:\WINDOWS\system32\hlvbfwoq\bottom1.gif
C:\WINDOWS\system32\hlvbfwoq\essentials.gif
C:\WINDOWS\system32\hlvbfwoq\icon1.ico
C:\WINDOWS\system32\hlvbfwoq\install1.gif
C:\WINDOWS\system32\hlvbfwoq\left1.gif
C:\WINDOWS\system32\hlvbfwoq\li.gif
C:\WINDOWS\system32\hlvbfwoq\logo.gif
C:\WINDOWS\system32\hlvbfwoq\main.htm
C:\WINDOWS\system32\hlvbfwoq\mainframe.htm
C:\WINDOWS\system32\hlvbfwoq\reinstall1.gif
C:\WINDOWS\system32\hlvbfwoq\right1.gif
C:\WINDOWS\system32\hlvbfwoq\s1.htm
C:\WINDOWS\system32\hlvbfwoq\s2.htm
C:\WINDOWS\system32\hlvbfwoq\s3.htm
C:\WINDOWS\system32\hlvbfwoq\SMTop1.gif
C:\WINDOWS\system32\hlvbfwoq\SMTop2.gif
C:\WINDOWS\system32\hlvbfwoq\SMTop3.gif
C:\WINDOWS\system32\hlvbfwoq\SMTop4.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_off.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_off_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_on.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_on_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_off.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_off_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_on.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_on_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_off.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_off_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_on.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_on_ext.gif
C:\WINDOWS\system32\hlvbfwoq\softbottom_off.gif
C:\WINDOWS\system32\hlvbfwoq\softbottom_on.gif
C:\WINDOWS\system32\hlvbfwoq\softleft_off.gif
C:\WINDOWS\system32\hlvbfwoq\softleft_on.gif
C:\WINDOWS\system32\hlvbfwoq\top1.gif
C:\WINDOWS\system32\hlvbfwoq\top2.gif
C:\WINDOWS\system32\hlvbfwoq\turnoff1.gif
C:\WINDOWS\system32\hlvbfwoq\turnon1.gif

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-27 01:03 . 2007-12-27 01:03 0 --a------ C:\F.tmp
2007-12-26 08:58 . 2007-12-26 08:58 410,437 --a------ C:\bgfile(2007, 12, 26, 8, 58, 58, 2, 360, 0).bmp
2007-12-21 17:05 . 2007-12-21 17:05 <DIR> d-------- C:\Documents and Settings\Grant Mailo\Application Data\Talkback
2007-12-19 21:25 . 2007-12-30 17:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 21:25 . 2007-12-19 21:25 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 22:07 . 2007-12-27 18:40 21,760 --a------ C:\WINDOWS\Uot48.sys
2007-12-17 13:33 . 2007-12-17 13:33 <DIR> d-------- C:\Deacon's Role
2007-12-16 16:51 . 2007-12-27 01:10 52,736 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2007-12-14 13:51 . 2007-12-17 12:39 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Shared
2007-12-14 13:51 . 2007-12-17 12:39 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Incomplete
2007-12-14 13:51 . 2007-12-17 09:52 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\LimeWire
2007-12-13 20:42 . 2007-12-13 20:42 <DIR> d-------- C:\Program Files\MathType
2007-12-13 20:42 . 2007-12-13 20:42 <DIR> d-------- C:\Documents and Settings\Olive Mailo\Application Data\Design Science
2007-12-12 18:30 . 2007-12-12 18:30 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-12 17:49 . 2007-12-12 17:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-12 04:12 . 2004-08-10 05:00 29,056 --a--c--- C:\WINDOWS\system32\dllcache\ip6fw.sys
2007-12-12 03:11 . 2007-12-12 04:28 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\SUPERAntiSpyware.com
2007-12-12 03:02 . 2007-12-12 03:02 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-12 02:59 . 2007-12-12 02:59 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-10 21:44 . 2007-12-11 19:39 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-10 10:08 . 2007-12-10 10:08 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-12-05 08:16 . 2007-12-05 08:17 <DIR> d-------- C:\ChristmasPlay
2007-12-05 08:15 . 2007-12-05 08:15 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\Template
2007-12-04 21:14 . 2007-12-04 21:14 <DIR> d-------- C:\Documents and Settings\Olive Mailo\Application Data\CyberLink
2007-12-04 09:02 . 2007-12-04 09:02 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2007-12-04 09:02 . 2007-12-04 09:03 <DIR> d-------- C:\Documents and Settings\Marcellinus Mailo\Application Data\Vso
2007-12-04 09:02 . 2007-12-04 09:02 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-04 09:02 . 2007-12-04 09:02 47,360 --a------ C:\Documents and Settings\Marcellinus Mailo\Application Data\pcouffin.sys
2007-11-19 12:07 . 2007-11-19 12:07 <DIR> d-------- C:\Interpretingthe Bible
2007-11-16 18:39 . 2007-11-16 18:40 <DIR> d-------- C:\Program Files\Zune
2007-11-16 18:39 . 2007-11-16 18:39 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-15 21:51 . 2007-11-15 21:51 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-15 21:51 . 2007-11-15 21:51 155,552 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-15 21:51 . 2007-11-15 21:51 80,288 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-15 21:51 . 2007-11-15 21:51 72,608 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-15 21:51 . 2007-11-15 21:51 59,296 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-15 21:51 . 2007-11-15 21:51 45,472 --a------ C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-15 21:38 . 2007-11-15 21:38 40,832 --a------ C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-14 05:24 . 2007-11-14 05:24 <DIR> d-------- C:\d97afc741532b7e44764
2007-11-08 15:37 . 2007-11-08 15:37 <DIR> d-------- C:\VA Claim Letter
2007-11-06 11:33 . 2007-11-06 11:33 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 11:33 . 2007-11-06 11:33 <DIR> d-------- C:\Program Files\iPod
2007-11-06 10:41 . 2007-11-06 10:51 <DIR> d-------- C:\TSAContigientOffer
2007-11-03 08:37 . 2007-11-03 09:17 <DIR> d-------- C:\Paoa_Taua'a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 08:35 8,704 ----a-w C:\WINDOWS\system32\netdde.exe
2007-12-27 08:34 8,704 ----a-w C:\WINDOWS\system32\msdtc.exe
2007-12-27 08:32 8,704 ----a-w C:\WINDOWS\system32\mnmsrvc.exe
2007-12-27 00:02 --------- d-----w C:\Documents and Settings\Grant Mailo\Application Data\LimeWire
2007-12-18 05:06 16,402,204 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-17 01:46 --------- d-----w C:\Program Files\LimeWire
2007-12-13 01:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 02:53 --------- d-----w C:\Program Files\Microsoft Works
2007-12-11 22:34 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2007-12-11 22:34 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2007-12-11 22:34 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2007-12-08 21:59 --------- d-----w C:\Documents and Settings\Olive Mailo\Application Data\uTorrent
2007-12-06 20:05 242 ----a-w C:\Documents and Settings\Marcellinus Mailo\Application Data\wklnhst.dat
2007-12-06 17:06 --------- d-----w C:\Program Files\e-Sword
2007-11-28 14:37 --------- d-----w C:\Program Files\Java
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-06 18:32 --------- d-----w C:\Program Files\QuickTime
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 07:02 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-28 07:02 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-10-28 04:00 --------- d-----w C:\Documents and Settings\Olive Mailo\Application Data\Media Player Classic
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 10:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 10:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-18 20:09 1,419,232 ----a-w C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-10-12 22:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 22:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-02 16:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
2007-09-29 10:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 10:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 10:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 09:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 09:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 09:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 09:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 09:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 09:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 09:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 09:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 09:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 09:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 09:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 09:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 09:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 09:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 09:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-16 20:59 118,947 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_15_19_44_28_small.dmp.zip
2006-10-26 04:09 13,590 ----a-w C:\WINDOWS\Fonts\jungle_life.zip
2006-10-24 13:02 56,464 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_24_06_02_46_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 19:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 21:10]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 05:00 C:\WINDOWS\system32\rundll32.exe]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 13:00]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 15:32 C:\WINDOWS\ALCWZRD.EXE]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 22:21]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-04 09:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-15 21:51]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 22:21]

C:\Documents and Settings\Olive Mailo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-06-21 07:58:33]

C:\Documents and Settings\Grant Mailo\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-06-21 07:58:33]

C:\Documents and Settings\Marcellinus Mailo\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-02-04 14:01:37]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-03 22:21:28]
m-trip Launcher.lnk - C:\Program Files\OLYMPUS\m-trip\Bin\m-tripLauncher.exe [2007-02-07 20:58:06]
Push Client.LNK - C:\Interwise\Student\pull.exe [2006-11-08 05:31:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [2006-08-24 20:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-03-09 10:29 139264 --a--c--- C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
2003-04-19 21:08 28672 --a--c--- C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-19 21:08 28672 --a--c--- C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe /Stationary

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2004-08-19 17:07 331776 --a------ c:\program files\sony\vaio survey\surveysa.exe

R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S2 AdobeActiveFileMonitor;AdobeActiveFileMonitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe []
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2007-12-27 01:29]
S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2007-12-27 01:10]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c48f5f0-2ec7-11dc-b6f0-0013d42416c8}]
\Shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{672a76a2-4e74-11dc-b7bc-0013d42416c8}]
\shell\Setup\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e0812a5-3d28-11dc-b76c-0013d42416c8}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddbb0dc2-3cbd-11dc-b76b-0013d42416c8}]
\Shell\AutoRun\command - K:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 18:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-12-31 01:11:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 18:39:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 18:39:51
C:\ComboFix2.txt ... 2007-12-27 18:45
.
2007-12-21 12:57:30 --- E O F ---















































































Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:37 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\OLYMPUS\m-trip\Bin\m-tripLauncher.exe
C:\Interwise\Student\pull.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\MrobeService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Marcellinus Mailo\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: XBTP01621 Class - {9EBBE90B-282E-4c39-8A7E-120749169F0F} - C:\PROGRA~1\BEARSH~2\MediaBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Grant's Stuff\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: m-trip Launcher.lnk = ?
O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZRfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...lante_load.html
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: 6to4 - Unknown owner - C:\WINDOWS\TEMP\563656.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeActiveFileMonitor - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: ehRecvr - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe (file missing)
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAANTMon - Unknown owner - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe (file missing)
O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Unknown owner - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\system32\MrobeService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe
O23 - Service: NVSvc - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TVTA Manager - Unknown owner - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12693 bytes

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 31 December 2007 - 12:17 PM

Grantastic

Looking good.

How's your PC running now?
Posted Image
Microsoft MVP - Windows Security

#9 Grantastic

Grantastic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:05:25 PM

Posted 01 January 2008 - 06:58 PM

Absolutely fine but I still can't change the wallpaper on the other user accounts...

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 02 January 2008 - 10:05 AM

Grantastic

Absolutely fine but I still can't change the wallpaper on the other user accounts...

I needed to know where we are. Lets' do this

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=-
"AllowUnhashedWebView"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
If the condition exists with the other user accounts, then log in under one of the problem user accounts and post a Hijackthis log from that account.
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users