Jump to content

Problem AntiVirus 2008


Recommended Posts

Hi,

Here is a problem AntiVirus 2008 item. I ran the tool and found 300 + items on light scan. I then ran the 2nd pass on Full scan and can up with another 50 or so after reboot on the first. I ran these in SAFE Mode. Still there on normal reboot reboot. Also zattached is the Hijackthis log file.

Any suggestions would be great.

System Information:

XP Sp1

expired macafee antivirus (replaced with new)

Thanks.

mark

mbam_log_7_30_2008__11_09_15_.txt

mbam_log_7_30_2008__11_54_23__2.txt

mbam_log_7_30_2008__11_09_15_.txt

mbam_log_7_30_2008__11_54_23__2.txt

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:19: VIRUS ALERT!, on 7/30/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\WinTV\Ir.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Jeff\LOCALS~1\Temp\csrssc.exe

E:\HiJackThis.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2

O1 - Hosts: 127.0.0.0 localhost

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [bM07b47664] Rundll32.exe "C:\WINDOWS\System32\wxbgaqax.dll",s

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [lanmanwrk.exe clean] C:\WINDOWS\System32\lanmanwrk.exe clean

O4 - HKCU\..\Run: [wekewfjo983mkefdd] C:\DOCUME~1\Jeff\LOCALS~1\Temp\winlogan.exe

O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Jeff\LOCALS~1\Temp\csrssc.exe

O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe

O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Jeff\cftmon.exe

O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe

O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe

O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &Download File - C:\Program Files\Winferno\Secure IE\Scripts\AddToTransferQueue.htm

O8 - Extra context menu item: &Highlight - C:\Program Files\Winferno\Secure IE\Scripts\highlight.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Zoom &In - C:\Program Files\Winferno\Secure IE\Scripts\zoomin.htm

O8 - Extra context menu item: Zoom O&ut - C:\Program Files\Winferno\Secure IE\Scripts\zoomout.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Microsoft AntiSpyware helper - {B9B19139-C45D-42BA-A011-319970D37EC6} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9B19139-C45D-42BA-A011-319970D37EC6} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} - http://38.144.58.87/sex/xxxmovies.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9F85C926-A979-48F2-A147-5A766CE5629B}: NameServer = 68.87.69.146,68.87.85.98,68.87.78.130

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 68.87.69.146 68.87.85.98,68.87.78.130

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 68.87.69.146 68.87.85.98,68.87.78.130

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 68.87.69.146 68.87.85.98,68.87.78.130

O22 - SharedTaskScheduler: werkjdnfi8wnkjmdfdfkefn - {C5AF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\System32\kdfgj83ke.dll

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Thanks for the input. Her is what I get.

Setup cannot continue because the version of Windows on your computer is newer than the version on the CD.

Warning: If you decide to delete the newer version of Windows that is currently installed on your computer, the files and settings cannot be recovered.

MH

Setup_Error.doc

Setup_Error.doc

Link to post
Share on other sites

Here is my latest scan. I doing OK, have SP2 and SP3 installed. Still some lingering Malware.

Malwarebytes' Anti-Malware 1.24

Database version: 1013

Windows 5.1.2600 Service Pack 3

6:28:42 PM 7/31/2008

mbam-log-7-31-2008 (18-28-42).txt

Scan type: Quick Scan

Objects scanned: 41357

Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\Winpv85.sys (Rootkit.Agent) -> Delete on reboot.

Link to post
Share on other sites

The Latest Scan. [

Malwarebytes' Anti-Malware 1.24

Database version: 1014

Windows 5.1.2600 Service Pack 3

9:42:35 AM 8/1/2008

mbam-log-8-1-2008 (09-42-21).txt

Scan type: Quick Scan

Objects scanned: 42928

Time elapsed: 37 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\WinCtrl32.dl_ (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\DRIVERS\Winpv85.sys (Rootkit.Agent) -> No action taken.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:08:04 AM, on 8/1/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe

C:\Program Files\Dell Photo AIO Printer 944\memcard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dlcdcoms.exe

C:\Program Files\SpyZooka\spyzooka.exe

C:\Program Files\WinTV\Ir.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/

O1 - Hosts: 127.0.0.0 localhost

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"

O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe

O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

We need to use combofix for this infection. You have a rootkit that causes a serious security concern. If you have used your computer for online Banking, you should contact your Bank/Credit Card companies and inform them of this security breech.

Please do the following:

Go to Microsoft's website...

Select the download that's appropriate for your Operating System

KB310994.gif

Download the file & save it as it's originally named, next to ComboFix.exe

RC1-4.gif

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
    RC_whatnext.gif
  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log.

Thanks!

Link to post
Share on other sites

Vet,

Here is the Combofix log file. Others to follow.

Thanks,

MH

ComboFix 08-08-06.02 - Jeff 2008-08-06 16:52:19.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.633 [GMT -7:00]

Running from: C:\Program Files\ComboFix.exe

Command switches used :: C:\Documents and Settings\Jeff\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\#SharedObjects\NYZ4LRKA\interclick.com

C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\#SharedObjects\NYZ4LRKA\interclick.com\ud.sol

C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com

C:\Documents and Settings\Mark\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

C:\WINDOWS\system32\paradise.dll

C:\WINDOWS\system32\WinCtrl32.dl_

C:\WINDOWS\system32\WinCtrl32.dll

.

((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))

.

2008-08-06 17:00 . 2008-08-06 17:00 344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpfr2.cfg

2008-08-06 16:45 . 2008-08-06 16:46 2,706,543 --a------ C:\Program Files\ComboFix.exe

2008-08-06 10:23 . 2008-08-06 17:01 3,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpcpy.cfg

2008-08-06 10:18 . 2008-08-06 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard

2008-08-06 10:17 . 2008-08-06 10:17 <DIR> d-------- C:\Program Files\STOPzilla!

2008-08-06 10:16 . 2008-08-06 10:16 <DIR> d-------- C:\Program Files\Common Files\iS3

2008-08-06 10:16 . 2008-08-06 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!

2008-08-06 09:54 . 2008-08-06 09:54 292,352 --a------ C:\Program Files\STOPzilla_Setup.exe

2008-08-05 20:35 . 2008-08-05 20:35 34,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\578lsf.exe

2008-08-01 10:07 . 2008-08-01 10:07 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-01 08:08 . 2008-08-01 08:08 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Malwarebytes

2008-08-01 07:37 . 2008-08-01 09:55 <DIR> d-------- C:\Program Files\SpyZooka

2008-08-01 07:21 . 2002-02-17 07:35 <DIR> d-------- C:\Documents and Settings\Mark\WINDOWS

2008-08-01 07:21 . 2002-02-17 07:34 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Symantec

2008-08-01 07:21 . 2008-08-01 07:21 <DIR> d-------- C:\Documents and Settings\Mark

2008-07-31 21:07 . 2008-08-01 09:56 <DIR> d-------- C:\Program Files\Panda Security

2008-07-31 19:02 . 2008-07-31 19:03 11,074 --a------ C:\WINDOWS\SYSTEM32\LexFiles.ulf

2008-07-31 19:01 . 2008-08-04 08:56 <DIR> d-------- C:\Program Files\Dl_cats

2008-07-31 18:55 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\SYSTEM32\wiafbdrv.dll

2008-07-31 18:55 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wiafbdrv.dll

2008-07-31 18:54 . 2008-07-31 19:35 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 944

2008-07-31 18:53 . 2008-07-31 19:35 <DIR> d-------- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

2008-07-31 18:53 . 2008-07-31 18:53 <DIR> d-------- C:\Temp

2008-07-31 18:22 . 2008-07-31 18:22 566,584 --a------ C:\Program Files\4400_A06.EXE

2008-07-31 16:25 . 2001-09-26 23:32 285,088 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys

2008-07-31 16:25 . 2001-09-26 23:32 285,088 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ati2mtaa.sys

2008-07-31 16:20 . 2008-07-31 16:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dell

2008-07-31 12:28 . 2008-07-31 12:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting

2008-07-31 12:21 . 2008-04-13 22:58 2,940,928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\wmploc.dll

2008-07-31 12:18 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys

2008-07-31 12:18 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys

2008-07-31 12:12 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003214_.tmp

2008-07-31 10:34 . 2008-07-31 10:34 137 --a------ C:\WINDOWS\SYSTEM32\MRT.INI

2008-07-31 10:17 . 2008-04-22 21:16 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll

2008-07-31 10:17 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat

2008-07-31 10:17 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui

2008-07-31 10:17 . 2008-04-22 21:16 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll

2008-07-31 10:17 . 2008-04-22 21:16 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll

2008-07-31 10:17 . 2008-06-13 04:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

2008-07-31 10:17 . 2008-04-22 21:16 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll

2008-07-31 10:17 . 2008-04-22 21:16 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll

2008-07-31 10:17 . 2008-04-22 21:16 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll

2008-07-31 10:17 . 2008-04-22 00:39 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe

2008-07-31 10:16 . 2008-05-08 07:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys

2008-07-31 02:56 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005920_.tmp

2008-07-31 02:30 . 2008-04-14 05:42 1,119,744 --a------ C:\WINDOWS\SYSTEM32\wmsdmoe2.dll

2008-07-31 02:30 . 2008-04-14 05:42 1,001,472 --a------ C:\WINDOWS\SYSTEM32\wmvdmoe2.dll

2008-07-31 02:30 . 2008-04-14 05:42 897,024 --a------ C:\WINDOWS\SYSTEM32\wmspdmoe.dll

2008-07-31 02:30 . 2008-04-14 05:42 485,376 --a------ C:\WINDOWS\SYSTEM32\wmspdmod.dll

2008-07-31 02:30 . 2008-04-14 05:42 233,472 --a------ C:\WINDOWS\SYSTEM32\wmpdxm.dll

2008-07-31 02:29 . 2008-04-14 05:41 384,512 --a------ C:\WINDOWS\SYSTEM32\mp4sdmod.dll

2008-07-31 02:29 . 2008-04-14 05:41 310,272 --a------ C:\WINDOWS\SYSTEM32\mp43dmod.dll

2008-07-31 02:29 . 2008-04-13 22:53 168,448 --a------ C:\WINDOWS\SYSTEM32\wmerror.dll

2008-07-31 02:29 . 2008-04-14 05:42 151,552 --a------ C:\WINDOWS\SYSTEM32\wmidx.dll

2008-07-31 02:29 . 2008-04-14 05:42 114,688 --a------ C:\WINDOWS\SYSTEM32\wmpasf.dll

2008-07-31 02:29 . 2008-04-14 05:42 52,224 --a------ C:\WINDOWS\SYSTEM32\mspmsnsv.dll

2008-07-31 02:26 . 2008-04-14 05:42 239,616 --a------ C:\WINDOWS\SYSTEM32\wstrenderer.ax

2008-07-31 02:25 . 2008-04-14 05:41 2,061,824 --a------ C:\WINDOWS\SYSTEM32\mstscax.dll

2008-07-31 02:25 . 2008-04-14 05:42 677,888 --a------ C:\WINDOWS\SYSTEM32\mstsc.exe

2008-07-31 02:25 . 2008-04-14 05:42 118,272 --a------ C:\WINDOWS\SYSTEM32\mpeg2data.ax

2008-07-31 02:24 . 2008-04-14 05:42 164,352 --a------ C:\WINDOWS\SYSTEM32\wstpager.ax

2008-07-31 02:23 . 2008-04-14 00:13 9,728 --a------ C:\WINDOWS\SYSTEM32\comsdupd.exe

2008-07-31 02:22 . 2008-04-14 00:13 12,800 --a------ C:\WINDOWS\SYSTEM32\spiisupd.exe

2008-07-31 02:21 . 2008-04-14 05:42 32,768 --a------ C:\WINDOWS\SYSTEM32\asr_pfu.exe

2008-07-31 02:19 . 2008-04-14 05:42 53,248 --a------ C:\WINDOWS\SYSTEM32\vbicodec.ax

2008-07-31 02:17 . 2008-04-14 05:42 4,274,816 --a------ C:\WINDOWS\SYSTEM32\nv4_disp.dll

2008-07-31 02:17 . 2008-04-14 05:42 380,416 --a------ C:\WINDOWS\SYSTEM32\irprops.cpl

2008-07-31 02:17 . 2008-04-14 05:41 229,376 --a------ C:\WINDOWS\SYSTEM32\ati2cqag.dll

2008-07-31 02:17 . 2008-04-14 05:42 58,880 --a------ C:\WINDOWS\SYSTEM32\pnrpnsp.dll

2008-07-31 02:17 . 2008-04-14 05:42 15,872 --a------ C:\WINDOWS\SYSTEM32\w3ssl.dll

2008-07-31 02:17 . 2008-04-14 05:42 13,824 --a------ C:\WINDOWS\SYSTEM32\wscntfy.exe

2008-07-31 02:17 . 2008-04-13 22:39 4,096 --a------ C:\WINDOWS\SYSTEM32\dsprpres.dll

2008-07-31 02:15 . 2008-04-14 05:41 755,200 --a------ C:\WINDOWS\SYSTEM32\ir50_32.dll

2008-07-31 02:14 . 2008-04-14 05:42 1,737,856 --a------ C:\WINDOWS\SYSTEM32\mtxparhd.dll

2008-07-31 02:14 . 2008-04-14 05:41 1,689,088 --a------ C:\WINDOWS\SYSTEM32\d3d9.dll

2008-07-31 02:14 . 2008-04-14 05:41 201,728 --a------ C:\WINDOWS\SYSTEM32\ati2dvag.dll

2008-07-31 02:14 . 2008-04-14 05:42 134,656 --a------ C:\WINDOWS\SYSTEM32\mssap.dll

2008-07-31 02:14 . 2008-04-14 05:41 60,416 --a------ C:\WINDOWS\SYSTEM32\fwcfg.dll

2008-07-31 02:14 . 2008-04-14 05:42 8,192 --a------ C:\WINDOWS\SYSTEM32\smbinst.exe

2008-07-31 02:13 . 2008-04-13 22:18 1,647,616 --a------ C:\WINDOWS\SYSTEM32\winbrand.dll

2008-07-31 02:13 . 2008-04-14 05:41 870,784 --a------ C:\WINDOWS\SYSTEM32\ati3d1ag.dll

2008-07-31 02:13 . 2008-04-14 05:42 848,384 --a------ C:\WINDOWS\SYSTEM32\ir41_32.ax

2008-07-31 02:13 . 2008-04-14 05:42 115,712 --a------ C:\WINDOWS\SYSTEM32\p2pnetsh.dll

2008-07-31 02:13 . 2008-04-14 05:42 57,856 --a------ C:\WINDOWS\SYSTEM32\twext.dll

2008-07-31 02:13 . 2008-04-14 05:42 50,176 --a------ C:\WINDOWS\SYSTEM32\xmlprovi.dll

2008-07-31 02:13 . 2008-04-14 05:42 11,264 --a------ C:\WINDOWS\SYSTEM32\spnpinst.exe

2008-07-31 02:13 . 2008-04-14 05:39 6,656 --a------ C:\WINDOWS\SYSTEM32\kbdinmal.dll

2008-07-31 02:13 . 2008-04-14 05:39 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdinbe1.dll

2008-07-31 02:12 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\SYSTEM32\ati3duag.dll

2008-07-31 02:12 . 2008-04-14 05:42 286,792 --a------ C:\WINDOWS\SYSTEM32\slextspk.dll

2008-07-31 02:12 . 2008-04-14 05:42 193,024 --a------ C:\WINDOWS\SYSTEM32\fsquirt.exe

2008-07-31 02:12 . 2008-04-14 05:42 129,024 --a------ C:\WINDOWS\SYSTEM32\xmlprov.dll

2008-07-31 02:12 . 2008-04-14 05:41 50,688 --a------ C:\WINDOWS\SYSTEM32\btpanui.dll

2008-07-31 02:12 . 2008-04-14 05:42 23,040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe

2008-07-31 02:12 . 2008-04-14 05:41 20,992 --a------ C:\WINDOWS\SYSTEM32\bthci.dll

2008-07-31 02:12 . 2008-04-14 05:41 13,312 --a------ C:\WINDOWS\SYSTEM32\cmsetacl.dll

2008-07-31 02:11 . 2008-04-14 00:07 369,664 --a------ C:\WINDOWS\SYSTEM32\html.iec

2008-07-31 02:11 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll

2008-07-31 02:11 . 2008-04-13 23:09 187,392 --a------ C:\WINDOWS\SYSTEM32\xpsp1res.dll

2008-07-31 02:11 . 2008-04-14 05:42 49,152 --a------ C:\WINDOWS\SYSTEM32\powercfg.exe

2008-07-31 02:11 . 2008-04-14 05:41 30,208 --a------ C:\WINDOWS\SYSTEM32\bthserv.dll

2008-07-31 02:11 . 2008-04-14 05:42 17,408 --a------ C:\WINDOWS\SYSTEM32\winshfhc.dll

2008-07-31 02:11 . 2008-04-14 05:39 7,680 --a------ C:\WINDOWS\SYSTEM32\kbdsmsfi.dll

2008-07-31 02:11 . 2008-04-14 05:41 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx3.dll

2008-07-31 02:10 . 2008-04-14 05:41 86,016 --a------ C:\WINDOWS\SYSTEM32\mdmxsdk.dll

2008-07-31 02:10 . 2008-04-14 05:42 80,896 --a------ C:\WINDOWS\SYSTEM32\wscsvc.dll

2008-07-31 02:10 . 2008-04-14 05:42 28,672 --a------ C:\WINDOWS\SYSTEM32\vidcap.ax

2008-07-31 02:10 . 2008-04-14 05:42 23,040 --a------ C:\WINDOWS\SYSTEM32\ativmvxx.ax

2008-07-31 02:10 . 2008-04-14 05:42 20,992 --a------ C:\WINDOWS\SYSTEM32\faxpatch.exe

2008-07-31 02:10 . 2008-04-14 05:41 20,480 --a------ C:\WINDOWS\SYSTEM32\encapi.dll

2008-07-31 02:10 . 2008-04-14 05:39 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdmlt48.dll

2008-07-31 02:08 . 2008-04-14 05:42 6,656 --a------ C:\WINDOWS\SYSTEM32\wuauserv.dll

2008-07-31 02:08 . 2008-04-14 05:39 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdinben.dll

2008-07-31 02:08 . 2008-04-14 05:39 5,632 --a------ C:\WINDOWS\SYSTEM32\kbdmaori.dll

2008-07-31 02:06 . 2008-04-13 23:09 2,897,920 --a------ C:\WINDOWS\SYSTEM32\xpsp2res.dll

2008-07-31 02:05 . 2008-04-14 05:41 24,064 --a------ C:\WINDOWS\SYSTEM32\pidgen.dll

2008-07-31 02:04 . 2008-04-14 00:04 163,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nwrdr.sys

2008-07-31 02:04 . 2008-04-14 00:09 92,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mqac.sys

2008-07-31 02:02 . 2008-04-14 05:42 1,200,640 --a------ C:\WINDOWS\SYSTEM32\ntbackup.exe

2008-07-31 01:55 . 2008-03-24 21:50 355,112 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msjetol1.dll

2008-07-31 01:52 . 2008-04-14 05:42 1,033,728 --a------ C:\WINDOWS\explorer.exe

2008-07-31 01:52 . 2008-04-14 05:42 283,648 --a------ C:\WINDOWS\winhlp32.exe

2008-07-31 01:52 . 2008-04-14 05:42 146,432 --a------ C:\WINDOWS\regedit.exe

2008-07-31 01:52 . 2008-04-14 05:42 50,688 --a------ C:\WINDOWS\twain_32.dll

2008-07-31 01:52 . 2008-04-14 05:42 10,752 --a------ C:\WINDOWS\hh.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-06 23:07 --------- d-----w C:\Program Files\Common Files\Webroot Shared

2008-07-31 23:20 --------- d-----w C:\Program Files\Dell

2008-07-31 04:27 --------- d-----w C:\Program Files\Webroot

2008-07-31 04:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-07-31 04:27 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Webroot

2008-07-30 19:02 --------- d-----w C:\Program Files\McAfee

2008-07-30 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com

2008-07-30 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee

2008-07-18 00:34 2,456,282 ----a-w C:\Program Files\2008-04_Co_Mtg_Market_Change.pptx

2008-06-23 15:56 66,352 ----a-w C:\Documents and Settings\Jeff\Application Data\GDIPFONTCACHEV1.DAT

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-15 17:01 --------- d-----w C:\Program Files\PhoneTools

2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-24 16:37 41,984 ----a-w C:\Program Files\Minutes for the 2008 Windsor Heights HOA Meeting.doc

2008-05-21 07:10 79,570 ----a-w C:\Program Files\thebradybunch-1972closing.wav

2008-05-21 07:10 73,850 ----a-w C:\Program Files\thebradybunch-1969closing.wav

2008-05-21 07:10 237,006 ----a-w C:\Program Files\Brady_Bunch.mp3

2008-05-21 07:10 163,062 ----a-w C:\Program Files\thebradybunch-pilotepisode.wav

2008-04-23 05:27 137,216 ----a-w C:\Program Files\Cat Pet Care Information Oscar.doc

2008-04-23 05:27 137,216 ----a-w C:\Program Files\Cat Pet Care Information Felix.doc

2008-04-23 05:27 134,656 ----a-w C:\Program Files\Vet Release.doc

2008-04-23 05:27 131,072 ----a-w C:\Program Files\Client Home Location Guide.doc

2008-04-23 05:27 125,952 ----a-w C:\Program Files\Client Information.doc

2008-04-23 05:27 114,688 ----a-w C:\Program Files\Client Emergency Contact Information.doc

2008-04-23 05:27 113,152 ----a-w C:\Program Files\Administrative_Form.doc

2008-04-23 05:27 110,592 ----a-w C:\Program Files\Law Form.doc

2008-04-23 05:25 125,952 ----a-w C:\Program Files\Client Information Rev 1.doc

2008-04-23 05:25 113,664 ----a-w C:\Program Files\Administrative_Form Rev 1.doc

2008-04-23 05:22 133,632 ----a-w C:\Program Files\Cat Pet Care Information Oscar Rev 1 April 08.doc

2008-04-23 05:21 133,632 ----a-w C:\Program Files\Cat Pet Care Information Felix Rev 1 April 08.doc

2008-04-23 05:19 122,880 ----a-w C:\Program Files\Client Information Rev 2 April 08.doc

2007-12-20 03:43 28,868,320 ----a-w C:\Program Files\FileFormatConverters.exe

2007-12-20 03:28 17,145 ----a-w C:\Program Files\Jeff Payne - Invoice for November and December, 2007.docx

2007-07-20 04:09 468,066 ----a-w C:\Program Files\MtOLY-07.jpg

2007-07-20 04:09 468,066 ----a-w C:\Program Files\MtOLY-07(2).jpg

2007-07-20 04:09 1,317,555 ----a-w C:\Program Files\Jenney-July07-2.jpg

2007-07-20 04:07 1,181,891 ----a-w C:\Program Files\Jenney-July07-1.jpg

2007-07-20 04:07 1,181,891 ----a-w C:\Program Files\Jenney-July07-1(2).jpg

2007-06-23 17:33 78,669 ----a-w C:\Program Files\LacyFitzpatrickJune2007.pdf

2007-04-24 18:12 147,507,486 ----a-w C:\Program Files\jdk-6u1-nb-5_5-win-ml.exe

2005-08-01 02:43 21,823,488 ----a-w C:\Program Files\cb550compact.exe

2005-08-01 01:48 10,703,680 ----a-w C:\Program Files\NDP1.1sp1-KB867460-X86.exe

2005-05-02 04:00 5,280,714 ----a-w C:\Program Files\SIE2004-FI.exe

2005-05-02 03:53 3,922,520 ----a-w C:\Program Files\MAS1149ENUS.exe

2004-09-16 03:46 12,652,784 ----a-w C:\Program Files\mp10setup.exe

2004-03-02 02:55 120,564 ----a-w C:\Program Files\cwshredder.zip

2004-02-23 04:10 1,803,464 ----a-w C:\Program Files\winzip81.exe

2002-06-04 00:36 9,208,587 ----a-w C:\Program Files\ioware-w32-x86-311.exe

2002-05-17 20:33 8,981,440 ----a-w C:\Program Files\ar505enu.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 14:39 69632]

"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 15:45 430080]

"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-08-10 10:12 286720]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]

Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]

AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2005-02-10 21:02:12 102455]

Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2002-02-17 07:35:46 49152]

Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 16:06:54 24633]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-02-22 21:10:27 106560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"SpecifyDefaultButtons"= 1 (0x1)

"Btn_Search"= 2 (0x2)

"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\old]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winpv85.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-05-13 10:03]

R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-01-21 18:12]

R2 MBAMDrvService;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-07-30 20:07]

R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-07-30 20:07]

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-26 23:32]

R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;C:\WINDOWS\system32\Drivers\hcw88rc5.sys [2004-11-22 10:20]

R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\WINDOWS\system32\drivers\hcw88tun.sys [2004-11-18 10:33]

R3 hcw88vid;Hauppauge WinTV 88x Video;C:\WINDOWS\system32\drivers\hcw88vid.sys [2004-11-18 10:23]

R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\WINDOWS\system32\drivers\HCW88BAR.sys [2004-11-18 10:23]

R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2000-10-03 14:18]

S0 winpv85;winpv85;C:\WINDOWS\system32\Drivers\Winpv85.sys []

S1 4684e105;4684e105;C:\WINDOWS\system32\drivers\4684e105.sys [2008-07-29 16:49]

S1 64fa319b;64fa319b;C:\WINDOWS\system32\drivers\64fa319b.sys [2008-07-29 16:49]

S1 67e16171;67e16171;C:\WINDOWS\system32\drivers\67e16171.sys [2008-07-29 17:39]

S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 11:48]

S3 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 12:41]

S4 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 16:19]

S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 12:52]

*Newly Created Service* - MBAMDRVSERVICE

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe

HKLM-Explorer_Run-paint.exe - (no file)

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\h53bgadp.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.msn.com

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-06 17:03:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE

C:\WINDOWS\SYSTEM32\NMSSVC.EXE

C:\WINDOWS\SYSTEM32\MsPMSPSv.exe

C:\WINDOWS\SYSTEM32\fxssvc.exe

C:\WINDOWS\SYSTEM32\devldr32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe

C:\Program Files\STOPzilla!\STOPzilla.exe

.

**************************************************************************

.

Completion time: 2008-08-06 17:17:59 - machine was rebooted [Jeff]

ComboFix-quarantined-files.txt 2008-08-07 00:17:52

Pre-Run: 3,192,180,736 bytes free

Post-Run: 3,252,301,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

301 --- E O F --- 2008-08-01 23:26:48

Link to post
Share on other sites

The program below is a "Flash Bios" Update...and should be stored on a floppy disk, not your hard disk:

C:\Program Files\4400_A06.EXE

Uninstall these:

Ask Toolbar

STOPzilla!

Java

...You can download and install the latest Java version but we need to remove the older (vulnerable) versions first. Also, Note:

Not every version of Java will begin with "Java" so be sure to read each entry in the list.

Repeat the uninstall process as necessary to remove all versions of Java.

**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

Navigate to and delete:

  • C:\Program Files\Java <=this folder if found

Then go to this page.

Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" and click the "Download" button to the right. Select the platform for "Windows".

Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement", then click Continue...The page will refresh

Then, click on the link to download Windows Offline Installation. Save it to your desktop.

Now, from your desktop, double-click on the executable to install the newest version.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

C:\Documents and Settings\All Users\Application Data\STOPzilla!

C:\WINDOWS\SYSTEM32\DRIVERS\578lsf.exe

C:\WINDOWS\003214_.tmp

C:\WINDOWS\005920_.tmp

C:\Program Files\cb550compact.exe

C:\Program Files\SIE2004-FI.exe

C:\Program Files\MAS1149ENUS.exe

C:\Program Files\mp10setup.exe

C:\Program Files\winzip81.exe

C:\Program Files\ar505enu.exe

C:\WINDOWS\system32\DRIVERS\szkg.sys

C:\WINDOWS\system32\Drivers\Winpv85.sys

C:\WINDOWS\system32\drivers\4684e105.sys

C:\WINDOWS\system32\drivers\64fa319b.sys

C:\WINDOWS\system32\drivers\67e16171.sys

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

Folder::

C:\Program Files\STOPzilla!

C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

Driver::

578lsf

szkg

Winpv85

4684e105

64fa319b

67e16171

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winpv85.sys]

@="Driver"

Link to post
Share on other sites

Already flashed the Bios.

This computer is not mine and out of my control now. When I sent him to bleepingcomputer he bought the SOPzilla instead of downloading ComboFix. He was eventually successfull getting combofix. Is STOPzilla a damgerous program or spyware?

Thanks, I will have this implemented.

Heavus

Link to post
Share on other sites

  • 2 weeks later...

Since this member has returned the computer to it's owner, we will close this thread for lack of any further need of assistance.

Other members with similar issues are warned that the instructions set forth in this thread relate to THIS COMPUTER ONLY and should not be applied to your system. Doing so could result in serious damage to your system and what you may end up with is just a very expensive paper weight.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.