Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 Daimeion

Daimeion

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 27 June 2008 - 07:52 PM

I'm working on a computer that had a bad Vundo infection. Spyware Doctor was able to remove enough to get to the point where I could use other tools. Malware Bytes Anti-Malware, Spybot S&D, and Ad-Aware 2007 all removed different bits. It seems to be gone, but I'd like one of the experts to help me make sure!

I had ran Deckard early on, so I don't think the extra.txt is relevant anymore. But here is the main.txt and the Kaspersky scan:

Deckard's System Scanner v20071014.68
Run by Bruce on 2008-06-27 17:44:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Bruce.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:28 PM, on 6/27/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Bruce\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bruce.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhughesnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\2.bin\A5SRCHAS.DLL
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\2.bin\A5SRCHAS.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{D6C55862-91C9-4C13-9D8C-589EA19ED5DD}
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-1007\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun (User '?')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-1007\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User '?')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-1007\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" (User '?')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-1007\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-1007\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{3A3262CD-E02B-484A-89BD-021D03419C67} (User '?')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-500\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User 'Administrator')
O4 - HKUS\S-1-5-21-1065693716-1838386792-3307196886-500\..\RunOnce: [DPAPIKeyMig] "C:\Windows\system32\dpapimig.exe" -quiet (User 'Administrator')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B71E640E-D359-42CA-9491-49CFB5C95476}: Domain = hughes.net
O20 - Winlogon Notify: GoToAssist - C:\Windows\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15685 bytes

-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-27 12:56:05 254402286 --a----c- C:\beforeHTJ.reg
2008-06-27 12:42:49 0 d-------- C:\Program Files\Trend Micro
2008-06-27 08:16:45 0 d------c- C:\327882R2FWJFW
2008-06-26 17:43:55 0 d------c- C:\VundoFix Backups
2008-06-26 16:11:33 0 d-------- C:\Program Files\Lavasoft
2008-06-26 14:46:23 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 14:24:38 0 d-------- C:\Program Files\CCleaner
2008-06-24 07:49:32 0 d------c- C:\PCXNP
2008-06-24 07:49:31 0 d-------- C:\Program Files\Marantz Professional
2008-06-23 21:37:15 0 d------c- C:\EPSONREG
2008-06-23 20:26:56 303104 --a------ C:\Windows\Film Factory.scr <Not Verified; ; Film Factory Screen Saver Application>
2008-06-23 20:26:40 0 d-------- C:\Program Files\EPSON Software
2008-06-23 16:30:04 0 d-------- C:\Program Files\EPSON Print CD
2008-06-23 16:05:30 0 d-------- C:\Program Files\EPSON
2008-06-23 15:16:23 0 d-------- C:\Windows\system32\DLA
2008-06-23 14:47:06 0 d-------- C:\Program Files\Roxio
2008-06-22 21:53:18 0 d------c- C:\PSADMIN
2008-06-22 21:52:32 20976 --a------ C:\Windows\system\CTL3D.DLL <Not Verified; Microsoft Corporation; 3d Windows Control>
2008-06-22 21:50:22 246784 --a------ C:\Windows\UNINST16.EXE <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>
2008-06-22 12:37:54 0 d-------- C:\Program Files\XPC Tools
2008-06-07 10:37:18 0 d------c- C:\KVMR
2008-06-05 21:25:09 0 d-------- C:\Program Files\Akamai
2008-06-05 10:26:05 0 d-------- C:\Users\Bruce\Kodak
2008-05-31 17:46:44 0 d-------- C:\Program Files\Memorex exPressit Label Design Studio


-- Find3M Report ---------------------------------------------------------------

2008-06-27 13:01:25 3217 --a------ C:\Windows\bthservsdp.dat
2008-06-26 16:10:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 15:39:06 0 d-------- C:\Program Files\Spyware Doctor
2008-06-26 14:46:34 0 d-------- C:\Users\Bruce\AppData\Roaming\Malwarebytes
2008-06-26 14:32:09 0 d-------- C:\Program Files\Java
2008-06-24 07:49:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-23 21:37:20 0 d-------- C:\Users\Bruce\AppData\Roaming\Leadertech
2008-06-23 15:08:01 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-23 15:04:28 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-06-23 14:57:45 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-11 08:04:18 0 d-------- C:\Program Files\Windows Mail
2008-06-07 10:25:10 0 d-------- C:\Users\Bruce\AppData\Roaming\Canon
2008-06-05 21:41:30 0 d-------- C:\Users\Bruce\AppData\Roaming\Download Manager
2008-05-07 08:24:22 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 12:32:43 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-04 10:25:24 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-04 10:22:36 0 d-------- C:\Users\Bruce\AppData\Roaming\Nero
2008-05-04 10:18:41 0 d-------- C:\Program Files\Common Files\Nero
2008-05-04 10:14:09 0 d-------- C:\Program Files\Nero
2008-05-04 10:14:09 0 d-------- C:\Program Files\Common Files
2008-05-04 08:43:11 0 d-------- C:\Program Files\Common Files\Ahead


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [01/23/2007 03:44 PM C:\Windows\KHALMNPR.Exe]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [10/03/2006 12:35 PM]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [11/05/2006 11:22 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [06/02/2008 07:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/08/2008 09:47 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [11/02/2006 02:45 AM]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [11/02/2006 02:45 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 12:34 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/31/2007 07:21 PM]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [11/09/2006 11:19 AM]
"DriverUpdaterPro"="C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe" [06/06/2008 03:38 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [5/24/2006 5:28:28 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/8/2007 10:51:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\Windows\pss\Adobe Gamma.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=C:\Windows\pss\Dell Network Assistant.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\Windows\pss\Event Reminder.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\Windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HughesNet Tools.lnk]
backup=C:\Windows\pss\HughesNet Tools.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\Windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\Windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
"C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\American Airlines DealFinder]
"C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
"C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
Rundll32 CTMBHA.DLL,MBMon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\HUGHES~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\MediaDirect\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simple Star PhotoShow Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
"C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\Windows\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
"C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
"rundll32.exe" oobefldr.dll,ShowWelcomeCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"C:\Program Files\Windows Media Player\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WudfServiceGroup WUDFSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88a99a93-ef7e-11dc-88ff-0016cfd05346}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c05abb4f-cde2-11db-981e-806e6f6e6963}]
AutoRun\command- D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c78e5a0f-43c2-11dd-9ab3-0016cfd05346}]
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-27 17:45:29 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 27, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 27, 2008 19:47:37
Records in database: 890964
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 245545
Threat name: 9
Infected objects: 28
Suspicious objects: 81
Duration of the scan: 03:31:22


File name / Threat name / Threats count
C:\ARAMAC\Web Pages\.panel\users\patrice\cur\1146006236.53806.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\.panel\users\patrice\cur\1146008773.81311.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1146006236.53806.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1146008773.81311.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1152146547.31134.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.iy 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1155143948.30263.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1158752597.53967.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.jm 2
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1158863621.94034.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159366153.26303.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159366153.26304.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159519329.4046.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159883903.62479.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1161138813.78819.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Bayfraud.kh 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1163706463.54663.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1163717763.18798.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1163725674.10955.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1164062905.14909.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168492673.8465.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168610101.30554.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168927453.38368.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168981527.11595.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1170097612.20144.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARAMAC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1170261391.50233.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARFS\Web Pages\.panel\users\patrice\cur\1146006236.53806.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\ARFS\Web Pages\.panel\users\patrice\cur\1146008773.81311.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\My Downloads\fp2006-final-3.00-setup(2).zip Infected: not-virus:BadJoke.JS.RJump 1
C:\My Downloads\fp2006-final-3.00-setup(3).zip Infected: not-virus:BadJoke.JS.RJump 1
C:\My Downloads\fp2006-final-3.00-setup(4).zip Infected: not-virus:BadJoke.JS.RJump 1
C:\My Downloads\fp2006-final-3.00-setup.zip Infected: not-virus:BadJoke.JS.RJump 1
C:\My Downloads\WebfettiSetup2.3.50.10.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az 1
C:\Program Files\AskTBar\SrchAstt\2.bin\A5SRCHAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az 1
C:\Q-Note Productions\Web Files\qnotepro.tar.gz Infected: Trojan-Spy.HTML.Wamufraud.ab 2
C:\Users\Bruce\AppData\Roaming\Thunderbird\Profiles\iw8bfe6r.default\Mail\mail.folk-odyssey.com\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1146006236.53806.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1146008773.81311.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1152146547.31134.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.iy 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1155143948.30263.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1158752597.53967.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.jm 2
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1158863621.94034.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1159366153.26303.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1159366153.26304.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1159519329.4046.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1159883903.62479.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1161138813.78819.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Bayfraud.kh 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1163706463.54663.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1163717763.18798.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1163725674.10955.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1164062905.14909.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1168492673.8465.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1168610101.30554.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1168927453.38368.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1168981527.11595.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1170097612.20144.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\AMARC Web\.panel\users\patrice\cur\1170261391.50233.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\.panel\users\patrice\cur\1146006236.53806.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\.panel\users\patrice\cur\1146008773.81311.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1146006236.53806.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1146008773.81311.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1152146547.31134.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.iy 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1155143948.30263.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1158752597.53967.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.jm 2
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1158863621.94034.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1159366153.26303.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1159366153.26304.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1159519329.4046.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1159883903.62479.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1161138813.78819.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Bayfraud.kh 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1163706463.54663.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1163717763.18798.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1163725674.10955.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1164062905.14909.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1168492673.8465.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1168610101.30554.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1168927453.38368.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1168981527.11595.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1170097612.20144.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1170261391.50233.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\cur\1171602389.49272.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\ARAMC 2-15-2007\.panel\users\patrice\new\1172652301.13125.host406.ipowerweb.com Infected: Trojan-Spy.HTML.Bankfraud.rc 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1146006236.53806.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1146008773.81311.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1152146547.31134.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.iy 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1155143948.30263.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1158752597.53967.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Paylap.jm 2
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1158863621.94034.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159366153.26303.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159366153.26304.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159519329.4046.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1159883903.62479.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1161138813.78819.host406.ipowerweb.com_2, Infected: Trojan-Spy.HTML.Bayfraud.kh 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1163706463.54663.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1163717763.18798.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1163725674.10955.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1164062905.14909.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168492673.8465.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168610101.30554.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168927453.38368.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1168981527.11595.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1170097612.20144.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\ARAMC\Web Pages\web 1-3-2007\AMARC Web\.panel\users\patrice\cur\1170261391.50233.host406.ipowerweb.com_2, Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Public\Documents\Q-Note Web\qnotepro.tar.gz Infected: Trojan-Spy.HTML.Wamufraud.ab 2

The selected area was scanned.

Thanks for your help in advance!

Daimeion

EDIT: posted main.txt twice. Took out duplicate and put in kaspersky scan. Sorry!

Edited by Daimeion, 27 June 2008 - 07:56 PM.


BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 20 July 2008 - 03:37 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new HijackThis log, along with a description of any problems you are experiencing. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

#3 Daimeion

Daimeion
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 21 July 2008 - 07:09 PM

I understand, I have been dealing with alot of Spyware removal at my repair shop lately. However, this customer picked up his system already. You can close this topic.

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 22 July 2008 - 06:00 AM

Since this issue seems to be resolved, this topic is now closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users