Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troganvundo'trogenvitrumundo


  • Please log in to reply
10 replies to this topic

#1 ncanales1

ncanales1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:19 AM

Posted 26 August 2008 - 10:59 AM

Hello:

I was refered by; http://www.bleepingcomputer.com/forums/ind...p?showuser=2608 - who asked me to submit my hyjack scan to anyone in the hyjack forum who can help me.

Here is my hyjack scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:33 AM, on 8/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {465E08E7-F005-4389-980F-1D8764B3486C} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\xpadmin\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.songtouch.com/install/network/install.exe
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://onsite.verisign.com/services/SBCSer...ions/vspta3.cab
O16 - DPF: {80FEF3B5-058D-11D4-8020-00C04F27965A} (ProjectInvoiceEntry.InvoiceEntry) - https://clrs.sprint.com/vbclrs/InvoiceEntry.CAB
O16 - DPF: {A207C7D1-E0C0-4EF5-8F8D-A5AA7F0E0992} (ProjectInvoiceEntry.InvoiceEntry) - https://clrs.sprint.com/vbclrs/InvoiceEntry.CAB
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoe...34/MusicNow.cab
O16 - DPF: {B0C77EBC-5250-4913-A245-BFA796A36C72} - http://toolbar.dhl.com/setup_ext_v1.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFB5AB77-AF64-4531-A713-D89677D16392}: NameServer = 192.168.100.1
O20 - AppInit_DLLs: nteuhs.dll
O20 - Winlogon Notify: wvUljHAq - wvUljHAq.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9152 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 27 August 2008 - 05:12 PM

HI

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 ncanales1

ncanales1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:19 AM

Posted 03 September 2008 - 12:26 PM

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 02, 2008 21:26:26
Records in database: 1183068
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
L:\
N:\
P:\
Q:\
R:\
S:\
T:\
U:\
X:\
Y:\
Z:\

Scan statistics:
Files scanned: 393505
Threat name: 12
Infected objects: 58
Suspicious objects: 0
Duration of the scan: 14:05:59


File name / Threat name / Threats count
C:\Documents and Settings\xpadmin\Desktop\Unused Desktop Shortcuts\GraboidVideoSetup.exe Infected: not-a-virus:Downloader.Win32.SwiftCleaner.d 1
C:\Program Files\Video Server\svchost.exe Infected: Trojan.Win32.Agent.atm 1
G:\Job Descriptions\ASBSUPR.DOC Infected: Virus.MSWord.Mdma 1
G:\Job Descriptions\DOC2.DOC Infected: Virus.MSWord.Mdma 1
L:\DATA\ENG\SP\SANFORD\SANFOR41.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR43.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR45.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR47.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR55.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR56.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR61.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR62.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\SANFOR70.DOC Infected: Virus.MSWord.Mdma 1
L:\DATA\ENG\SP\SANFORD\SANFOR75.DOC Infected: Virus.MSWord.Mdma 1
L:\DATA\ENG\SP\SANFORD\VALMAPS.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\ENG\SP\SANFORD\5-9METRO.DOC Infected: Virus.MSWord.Concept 1
L:\DATA\COMPANY\Downloads\MBbuilder install.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
L:\DATA\COMPANY\Downloads\bullet proof ftpserver_install.exe Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 1
L:\DATA\COMPANY\Downloads\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
L:\DATA\COMPANY\Downloads\vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 2
L:\DATA\COMPANY\Downloads\vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
L:\DATA\COMPANY\Downloads\site capture1 install\SETUP.EXE Infected: not-a-virus:AdWare.Win32.Aureate.a 6
L:\DATA\COMPANY\Downloads\visio\VISIO 2002 KEY GENERATOR.exe Infected: Trojan.Win32.Agent.a 1
L:\DATA\COMPANY\Downloads\mapinfo 8.0 licence\start.exe Infected: Trojan-Downloader.Win32.IstBar.ja 1
L:\DATA\COMPANY\Downloads\mapinfo 8.0 licence\start.exe Infected: Trojan-Downloader.Win32.IstBar.ny 1
L:\DATA\Recruiting\Job Descriptions\ASBSUPR.DOC Infected: Virus.MSWord.Mdma 1
L:\DATA\Recruiting\Job Descriptions\DOC2.DOC Infected: Virus.MSWord.Mdma 1
P:\Downloads\MBbuilder install.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
P:\Downloads\bullet proof ftpserver_install.exe Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 1
P:\Downloads\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
P:\Downloads\vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 2
P:\Downloads\vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
P:\Downloads\site capture1 install\SETUP.EXE Infected: not-a-virus:AdWare.Win32.Aureate.a 6
P:\Downloads\visio\VISIO 2002 KEY GENERATOR.exe Infected: Trojan.Win32.Agent.a 1
P:\Downloads\mapinfo 8.0 licence\start.exe Infected: Trojan-Downloader.Win32.IstBar.ja 1
P:\Downloads\mapinfo 8.0 licence\start.exe Infected: Trojan-Downloader.Win32.IstBar.ny 1

The selected area was scanned.


Malwarebytes' Anti-Malware 1.26
Database version: 1108
Windows 5.1.2600 Service Pack 3

9/3/2008 9:57:07 AM
mbam-log-2008-09-03 (09-57-07).txt

Scan type: Quick Scan
Objects scanned: 51435
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here you go and thanks

Nick

#4 ncanales1

ncanales1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:19 AM

Posted 03 September 2008 - 02:20 PM

ComboFix 08-09-01.05 - xpadmin 2008-09-03 11:58:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.722 [GMT -7:00]
Running from: C:\Documents and Settings\xpadmin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\xpadmin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\#SharedObjects\ABCMYVMW\bin.clearspring.com
C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\#SharedObjects\ABCMYVMW\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\#SharedObjects\ABCMYVMW\interclick.com
C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\#SharedObjects\ABCMYVMW\interclick.com\ud.sol
C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\xpadmin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\xpadmin\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\xpadmin\Local Settings\Temporary Internet Files\CSC2.5U-EN-845-F.sbr.sgn
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ahswgjpx.ini
C:\WINDOWS\system32\ameepdtj.ini
C:\WINDOWS\system32\atdlgvav.ini
C:\WINDOWS\system32\avaxahfn.ini
C:\WINDOWS\system32\ayyxugts.ini
C:\WINDOWS\system32\bidrpoal.ini
C:\WINDOWS\system32\boscsibn.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\btcehdas.ini
C:\WINDOWS\system32\byfkysiw.ini
C:\WINDOWS\system32\ctishids.ini
C:\WINDOWS\system32\drigtvdg.ini
C:\WINDOWS\system32\ebfjkcoa.ini
C:\WINDOWS\system32\eewtylee.ini
C:\WINDOWS\system32\evbcesji.ini
C:\WINDOWS\system32\fcjginvs.ini
C:\WINDOWS\system32\fghcgxnj.ini
C:\WINDOWS\system32\ghrgpirl.ini
C:\WINDOWS\system32\gmumiywx.ini
C:\WINDOWS\system32\gviyjdcb.ini
C:\WINDOWS\system32\hdwcxfwu.ini
C:\WINDOWS\system32\hgaakiok.ini
C:\WINDOWS\system32\iopmqfhl.ini
C:\WINDOWS\system32\iwqexovu.ini
C:\WINDOWS\system32\jhmurfei.ini
C:\WINDOWS\system32\jjvqsaxt.ini
C:\WINDOWS\system32\jsdvnryg.ini
C:\WINDOWS\system32\kkqrvsjc.ini
C:\WINDOWS\system32\lbacynet.ini
C:\WINDOWS\system32\mgmixynn.ini
C:\WINDOWS\system32\mjghntcb.ini
C:\WINDOWS\system32\mrgvuvbx.dll
C:\WINDOWS\system32\mvkbopnq.ini
C:\WINDOWS\system32\nummikxj.ini
C:\WINDOWS\system32\nuydfufc.ini
C:\WINDOWS\system32\nvavxcay.ini
C:\WINDOWS\system32\nwclhsvo.ini
C:\WINDOWS\system32\ocrudvxr.ini
C:\WINDOWS\system32\ogdnilte.ini
C:\WINDOWS\system32\oqchnvlb.ini
C:\WINDOWS\system32\pijnjcsk.ini
C:\WINDOWS\system32\pkfbxmju.ini
C:\WINDOWS\system32\pmcthspr.ini
C:\WINDOWS\system32\podakhym.ini
C:\WINDOWS\system32\pojyfadg.ini
C:\WINDOWS\system32\qmvdvijt.ini
C:\WINDOWS\system32\qwrplyok.ini
C:\WINDOWS\system32\raaoyqju.ini
C:\WINDOWS\system32\rilxumwx.ini
C:\WINDOWS\system32\sjliolnq.ini
C:\WINDOWS\system32\ssysholl.ini
C:\WINDOWS\system32\sucxitkm.ini
C:\WINDOWS\system32\tcommorm.ini
C:\WINDOWS\system32\tgxbyhvd.ini
C:\WINDOWS\system32\ufdvntei.ini
C:\WINDOWS\system32\uggsuuvm.ini
C:\WINDOWS\system32\uryenjep.ini
C:\WINDOWS\system32\uvephkwe.ini
C:\WINDOWS\system32\uxmkybxd.ini
C:\WINDOWS\system32\vcurinaj.ini
C:\WINDOWS\system32\vlywdkei.ini
C:\WINDOWS\system32\vniiwdtn.dll
C:\WINDOWS\system32\vschrroc.ini
C:\WINDOWS\system32\vxfqechu.ini
C:\WINDOWS\system32\vxuxsebw.ini
C:\WINDOWS\system32\vyquismd.ini
C:\WINDOWS\system32\wcnqgc.dll
C:\WINDOWS\system32\wsnxlgux.ini
C:\WINDOWS\system32\xasexikg.ini
C:\WINDOWS\system32\xhsosicd.ini
C:\WINDOWS\system32\xkmuomdw.ini
C:\WINDOWS\system32\xqkfllxc.ini
C:\WINDOWS\system32\xrfauaub.ini
C:\WINDOWS\system32\ydgkrapv.ini
C:\WINDOWS\system32\yfwulbfv.ini
C:\WINDOWS\system32\ygbdxnlm.ini
C:\WINDOWS\system32\ynqqatva.ini
C:\WINDOWS\system32\yqyenfmd.ini
C:\WINDOWS\system32\ytpeywmm.ini
C:\WINDOWS\system32\zblbwa.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-03 11:37 . 2008-09-03 11:37 <DIR> d-------- C:\Program Files\Microsoft Diagnostics and Recovery Toolset
2008-08-30 18:38 . 2008-08-13 10:03 68,912 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2008-08-30 18:38 . 2008-08-13 10:03 13,360 --a------ C:\WINDOWS\system32\drivers\sbaphd.sys
2008-08-28 17:40 . 2008-08-28 17:42 <DIR> d-------- C:\Program Files\Windows Live
2008-08-28 17:40 . 2008-08-28 17:42 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-28 17:40 . 2008-08-28 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-28 16:15 . 2008-08-28 16:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-28 16:08 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-28 16:08 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-28 16:08 . 2008-05-08 07:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-28 16:07 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-28 16:02 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-28 16:02 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-28 16:00 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-26 17:20 . 2008-08-26 17:20 59,176 --a------ C:\WINDOWS\system32\sbbd.exe
2008-08-21 16:01 . 2008-08-21 16:01 <DIR> d-------- C:\Documents and Settings\xpadmin\Application Data\Sunbelt
2008-08-21 15:29 . 2008-08-21 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-21 13:53 . 2008-09-03 09:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 13:53 . 2008-08-21 13:53 <DIR> d-------- C:\Documents and Settings\xpadmin\Application Data\Malwarebytes
2008-08-21 13:53 . 2008-08-21 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-21 13:53 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-21 13:53 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 07:39 . 2008-08-21 07:39 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-16 14:14 . 2008-08-16 14:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Active Disk
2008-08-15 12:52 . 2008-08-15 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-13 16:06 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\000001_.tmp
2008-08-13 14:28 . 2008-08-13 14:28 <DIR> d-------- C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP
2008-08-13 14:28 . 2008-08-13 14:28 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-13 14:27 . 2008-08-13 14:28 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-08-13 11:24 . 2008-08-13 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOPSettings
2008-08-11 06:50 . 2008-08-11 06:50 <DIR> d--hs---- C:\found.000
2008-08-03 07:19 . 2008-08-03 07:19 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 18:49 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-23 16:26 --------- d-----w C:\Documents and Settings\xpadmin\Application Data\Winamp
2008-08-22 02:26 --------- d-----w C:\Program Files\PDFcamp Pro v2.1
2008-08-22 00:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-13 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-13 21:27 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-13 21:27 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-13 21:27 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-13 21:27 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-13 21:27 --------- d-----w C:\Program Files\Symantec
2008-07-31 14:05 --------- d-----w C:\Program Files\iTunes
2008-07-31 14:05 --------- d-----w C:\Program Files\iPod
2008-07-30 03:33 --------- d--h--w C:\Documents and Settings\xpadmin\Application Data\Move Networks
2008-07-25 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-07-20 18:51 89,533,108 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-17 18:36 --------- d-----w C:\Documents and Settings\xpadmin\Application Data\Apple Computer
2008-07-16 20:26 --------- d-----w C:\Program Files\Winamp
2008-07-14 16:48 --------- d-----w C:\Program Files\Bonjour
2008-07-14 16:47 --------- d-----w C:\Program Files\QuickTime
2008-07-14 16:21 --------- d-----w C:\Program Files\Safari
2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 19:52 1,710,627 --sha-w C:\WINDOWS\system32\jjvqsaxt.tmp
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-05 07:13 58,760 ----a-w C:\symlcsv1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]
"isCfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" [2008-01-30 611712]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"SBAMTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-08-26 677160]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-01-05 484984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nteuhs.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^xpadmin^Start Menu^Programs^Startup^ICU E-Mail Manager.lnk]
path=C:\Documents and Settings\xpadmin\Start Menu\Programs\Startup\ICU E-Mail Manager.lnk
backup=C:\WINDOWS\pss\ICU E-Mail Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^xpadmin^Start Menu^Programs^Startup^ICU Receiver.lnk]
path=C:\Documents and Settings\xpadmin\Start Menu\Programs\Startup\ICU Receiver.lnk
backup=C:\WINDOWS\pss\ICU Receiver.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^xpadmin^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\xpadmin\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^xpadmin^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\xpadmin\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^xpadmin^Start Menu^Programs^Startup^SetupIR2.lnk]
path=C:\Documents and Settings\xpadmin\Start Menu\Programs\Startup\SetupIR2.lnk
backup=C:\WINDOWS\pss\SetupIR2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 09:15 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2004-10-12 16:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C86 Series]
--a------ 2003-11-25 03:00 99840 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2R1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2002-08-14 15:21 94208 C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-07-01 14:20 212992 C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-04-14 16:56 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-06 23:49 718704 C:\Program Files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Say the Time]
--a------ 2006-10-20 20:19 534016 C:\Program Files\Say the Time\SayTime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-02-26 12:22 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Video Server (Tray Icon)]
--a------ 2006-12-05 23:05 2265088 C:\Program Files\Video Server\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-07-09 14:33 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWTRAY]
--a------ 2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSCSPTISRV"=3 (0x3)
"_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2)
"WinDefend"=2 (0x2)
"emandoremote"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\GateWall\\GWClient.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Canon\\Network ScanGear\\SgTool.exe"=
"C:\\Program Files\\Canon\\Network ScanGear\\1.6\\SgTool.exe"=
"C:\\Program Files\\BoxChess\\BoxChess.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
R1 sbaphd;sbaphd;C:\WINDOWS\system32\drivers\sbaphd.sys [2008-08-13 13360]
R2 sbapifs;sbapifs;C:\WINDOWS\system32\drivers\sbapifs.sys [2008-08-13 68912]
S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-08-26 869672]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [2007-11-06 87848]
S4 emandoremote;eMando Remote;C:\Program Files\Video Server\svchost.exe [2006-12-05 2265088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SBAMSVC
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunServices-1A:Stardock TrayMonitor - (no file)
Notify-wvUljHAq - wvUljHAq.dll
MSConfigStartUp-98b2636f - C:\WINDOWS\system32\hgjxaujq.dll
MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1136589011\ee\AOLSoftware.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-MySpaceIM - C:\Program Files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-RayV - C:\Program Files\RayV\RayV\RayV.exe
MSConfigStartUp-SBCSTray - C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
MSConfigStartUp-Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-WinAntivirusPro - C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
MSConfigStartUp-Windows Defender - C:\Program Files\Windows Defender\MSASCui.exe
MSConfigStartUp-x3watch - C:\Program Files\X3watch\x3watch.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\xpadmin\Application Data\Mozilla\Firefox\Profiles\mto3apjv.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=slv5-&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla
FF -: plugin - C:\Program Files\GameTap\bin\Release\npgametaptool.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 12:00:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NWSHLXNT.dll
-> C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL
.
Completion time: 2008-09-03 12:02:13
ComboFix-quarantined-files.txt 2008-09-03 19:01:53

Pre-Run: 21,013,118,976 bytes free
Post-Run: 22,076,903,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

372 --- E O F --- 2008-08-30 10:03:44

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 05 September 2008 - 05:12 PM

Hi

Sorry for the late reply, I've been ill & unable to get to my computer for 2 days ...

Please take a close look at the log from the KASPERSKY ONLINE SCANNER 7 REPORT

many of the entries shown are on the G, L & P drives ... some of them may be false positives, but I advise you to delete as many of them as you can, if you know they are of no further use to you, then we can check out what's left...

I see you have had Malwarebytes for some time, because of something I see in your "clean" Malwarebytes log, please Update Malwarebytes & run a new scan, then post the log.

What problems are you still experiencing ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 ncanales1

ncanales1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:19 AM

Posted 06 September 2008 - 10:30 AM

Thank you so much for all your help, I hope your feeling better. Im working from home today (Saturday) and its 8:27am, what time is it there? 8pm sunday? The problem that i had before was fixed by your help, but like you said when i ran the kaspersky, it came up with many viruses and i dont now how to fix or delete them. What about the combo fix, with what you see in the list is there anything that i need to do? :thumbsup:

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 06 September 2008 - 01:30 PM

Hi

today (Saturday) and its 8:27am, what time is it there? 8pm sunday?


8:27am Saturday your time ... is ... 4:27pm Saturday here ... we are 8 hours ahead of you :thumbsup:

Yes ... I would like you to Update Malwarebytes & run a new scan, then post the new log please.

Are the G, L & P drives on your computer or on a network ? can you access the network ? can the networked computers access your computer ? it looks from your logs that there could be a problem with this ...

-

Did you download & install this yourself ?

Kaspersky :- C:\Program Files\Video Server\svchost.exe Infected: Trojan.Win32.Agent.atm 1

Combofix :- S4 emandoremote;eMando Remote;C:\Program Files\Video Server\svchost.exe [2006-12-05 2265088]

http://www.emando.net/download.aspx

-
This as well ...

C:\Documents and Settings\xpadmin\Desktop\Unused Desktop Shortcuts\GraboidVideoSetup.exe Infected: not-a-virus:Downloader.Win32.SwiftCleaner.d 1

SwiftCleaner is Rogue Security Program that shows false Warning messages. It also shows misleading scan results. It can also install through Trojan exploits.

If you had it installed them MBAM should have removed it, but delete that Unused Desktop Shortcut

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 ncanales1

ncanales1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:19 AM

Posted 11 September 2008 - 01:43 PM

Malwarebytes' Anti-Malware 1.27
Database version: 1132
Windows 5.1.2600 Service Pack 3

9/11/2008 8:10:03 AM
mbam-log-2008-09-11 (08-10-03).txt

Scan type: Full Scan (D:\|E:\|G:\|H:\|L:\|N:\|P:\|Q:\|R:\|S:\|T:\|U:\|X:\|Y:\|Z:\|)
Objects scanned: 329578
Time elapsed: 21 hour(s), 50 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dllschannel.dlldigest.dllmsnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.28
Database version: 1141
Windows 5.1.2600 Service Pack 3

9/11/2008 11:17:48 AM
mbam-log-2008-09-11 (11-17-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127644
Time elapsed: 1 hour(s), 19 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yes, the drives listed above are on a network, not from my computer, and yes I can gain access and can not be accessed. Yes, I may have downloaded the video server (maybe from zango or rapid?) and I have no idea how I downloaded emando. Yes I downloaded Graboid about 4 months ago and I uninstalled it today 09/11/08, so MBAM didn't uninstall if for me. I removed the graboidvideosetup.exe from unused desktop shortcut.

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 11 September 2008 - 03:46 PM

Hi

yes I can gain access and can not be accessed.


That should now have been repaired, other computers on the network should be able to access your computer now, can you confirm this ?

Your computer now appears to be clean, but the computers on the network which house the G:\ L:\ & P:\ drives have some cleaning to do .. it looks like they have been downloading illegal cracks/keygens ... & paid the price ...

Virus.MSWord.Concept 1

L:\DATA\ENG\SP\SANFORD\SANFOR41.DOC Infected: Virus.MSWord.Concept 1

http://www.viruslist.com/en/viruses/encycl...a?virusid=27097

-
Virus.MSWord.Mdma

L:\DATA\ENG\SP\SANFORD\SANFOR70.DOC Infected: Virus.MSWord.Mdma 1

http://www.viruslist.com/en/viruses/encycl...a?virusid=27380

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#10 ncanales1

ncanales1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:19 AM

Posted 15 September 2008 - 11:09 AM

BUT WHAT ABOUT ALL THOSE VIRUSES THAT WERE FOUND BY KAPRASKY AND COMBOFIX? I DIDNT ERASE THE ONES THAT KAPRASKY FOUND.

#11 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 15 September 2008 - 04:50 PM

Hi

Combofix deleted all the malware it found, take a look at the list under >>>>

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

in the Combofix log ...

RE: KASPERSKY

Please read my last post again :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users