Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yieldmanager Problem


  • This topic is locked This topic is locked
24 replies to this topic

#16 woodyatwork

woodyatwork
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 13 August 2008 - 08:22 PM

Could never get it to work from IE, but when I pasted the link into Firefox it is working. Tons of stuff downloading now.

I wanted to mention that the original problem that started all of this is still happening.

I was in IE tonight and out of the blue this Dell Search Page came up with this on it

"Sorry, we couldn't find <http://ad.yieldmanager.com/st%3Fad_type>. Here are some related websites: "

The address in the bar is:

<http://www.google.com/hws/dell/afe?hl=en&s=http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=160x600&site=140468&section_code=12808301&cb=1218676418698774&ycg=m&yyob=1963&promote_sizes=1&pub_redirect_unencoded=1&pub_redirect=http://us.ard.yahoo.com/SIG=152dpkse1/M=674272.12808301.13086293.9977534/D=mail_att/S=150593152:SKY/Y=YAHOO/EXP=1218683618/L=ew6s3EWTVOYYyEM5SJYqngAODLv4AkijhsIACoqZ/B=vHp0GNj8fX0-/J=1218676418698774/A=5406806/R=0/*>

Thanks.

Edited by Orange Blossom, 15 August 2008 - 11:16 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#17 woodyatwork

woodyatwork
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 13 August 2008 - 08:38 PM

I did a search and found the following stuff. Do you think this is something safe and reasonable to do to help me with my problem?

Spybot S&D has added several thousand hostnames to your hosts file to protect you from a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. It does this by blocking connections to bad or unwanted hostnames. One of the hostnames is ad.yieldmanager.com so connections to it have been blocked - this is likely to be the cause of the problem.

You can try enabling connections to that host as follows:


Open Spybot S&D, press Mode->Advanced Mode and say Yes to the prompt.
Select Tools->IE Tweaks from the left menu and UN-check Lock hosts file read-only as protection against hijackers
Leave Spybot S&D open for now
Next press Start->Run, copy/paste the following command into the box and press OK:

QUOTE
notepad c:\windows\system32\drivers\etc\hosts
Notepad will open with your hosts file
Press CTRL-F, type ad.yieldmanager.com in the Find box and press Find Next
Type hash marks (#) at the beginning of the two lines containing ad.yieldmanager.com so they look like this:

QUOTE
#127.0.0.1 ad.yieldmanager.com
#127.0.0.1 www.ad.yieldmanager.com
Press File->Save to save the changes and close Notepad
Switch back to Spybot S&D and check Lock hosts file read-only as protection against hijackers
Close Spybot S&D

#18 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,989 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:28 AM

Posted 13 August 2008 - 09:15 PM

Hello, woodyatwork.
Unfortunately, that's not going to fix matters. Modifying the hosts file will disallow access to there, but it will not stop the redirects.

And that means I think I missed something.

We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#19 woodyatwork

woodyatwork
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 13 August 2008 - 11:03 PM

You sure don't give up easily! Here is the log. Thanks.

ComboFix 08-08-13.02 - sw185041 2008-08-13 22:31:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.517 [GMT -5:00]
Running from: C:\Documents and Settings\sw185041\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\sw185041\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\#SharedObjects\GDVHSN2K\interclick.com
C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\#SharedObjects\GDVHSN2K\interclick.com\ud.sol
C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\drivers\fad.sys

----- BITS: Possible infected sites -----

http://SUSDAY7549:80
.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-13 21:06 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-08-13 21:06 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-08-13 21:06 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-08-13 21:00 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-08-13 20:52 . 2008-05-08 07:28 202,752 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-13 19:39 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-08-12 18:44 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-12 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-12 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-12 18:44 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-10 14:47 . 2008-08-11 01:58 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-10 14:41 . 2008-08-10 14:43 <DIR> d-------- C:\Program Files\Java
2008-08-10 12:56 . 2008-08-10 12:56 <DIR> d-------- C:\regsearch
2008-08-10 10:51 . 2008-08-10 10:51 <DIR> d-------- C:\_OTMoveIt
2008-08-10 10:37 . 2008-08-10 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 22:09 . 2007-06-27 09:41 101,248 -ra------ C:\WINDOWS\system32\drivers\swnc8u56.sys
2008-08-08 22:08 . 2007-06-27 09:42 73,856 -ra------ C:\WINDOWS\system32\drivers\swumx56.sys
2008-08-08 22:03 . 2008-08-08 22:03 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\AT&T
2008-08-08 22:01 . 2008-08-08 22:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
2008-08-08 21:58 . 2008-08-08 21:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Bytemobile
2008-08-08 21:57 . 2008-08-08 21:57 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\DBUpdater
2008-08-08 21:57 . 2003-09-08 14:43 89,728 --a------ C:\WINDOWS\system32\drivers\usbvsp.sys
2008-08-08 21:54 . 2008-08-08 21:49 26,504 --a------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-08-08 21:53 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-08-08 21:52 . 2008-08-08 21:52 <DIR> d-------- C:\Program Files\Common Files\Research in Motion
2008-08-08 21:52 . 2008-08-08 21:52 <DIR> d-------- C:\Program Files\AT&T
2008-08-08 21:52 . 2008-08-08 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AT&T
2008-08-08 21:51 . 2008-08-08 21:51 <DIR> d-------- C:\Program Files\Option
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\Sierra Wireless
2008-08-07 11:59 . 2008-08-07 11:59 <DIR> d-------- C:\MyWorkData
2008-08-06 13:07 . 2008-08-06 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teradata
2008-08-06 11:34 . 2008-07-01 13:21 25,600 --a------ C:\WINDOWS\system32\drivers\pnmgr.sys
2008-08-06 11:14 . 2008-08-06 11:14 <DIR> d-------- C:\td12software
2008-08-06 11:06 . 2008-08-06 11:15 267,684 --a------ C:\WINDOWS\system32\setup.inx
2008-08-06 10:35 . 2008-08-07 17:35 <DIR> d-------- C:\Program Files\Teradata
2008-08-04 14:44 . 2008-08-04 14:44 0 --a------ C:\s1f8.i8
2008-08-01 18:13 . 2008-08-13 21:49 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-30 11:52 . 2008-07-30 11:52 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\acccore
2008-07-30 11:51 . 2008-08-10 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-30 11:50 . 2008-07-30 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-30 11:49 . 2008-07-30 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-30 11:49 . 2008-07-30 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-30 11:48 . 2008-07-30 11:48 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-30 11:48 . 2008-07-30 11:51 <DIR> d-------- C:\Program Files\AIM6
2008-07-30 11:48 . 2008-07-30 11:51 454 --ah----- C:\IPH.PH
2008-07-30 11:19 . 2008-07-30 11:52 <DIR> d-------- C:\Program Files\Trillian
2008-07-25 11:35 . 2008-02-12 13:45 45,568 --a------ C:\WINDOWS\system32\lmdimon.dll
2008-07-25 10:54 . 2008-07-25 10:55 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\Media Player Classic
2008-07-25 10:49 . 2008-06-30 09:47 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-07-25 10:48 . 2008-07-25 10:49 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-07-25 07:21 . 2008-07-25 07:21 <DIR> d-------- C:\Program Files\TechSmith
2008-07-25 07:21 . 2008-07-25 07:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-07-24 16:58 . 2008-07-24 16:58 <DIR> d-------- C:\Program Files\ToniArts
2008-07-24 16:34 . 2008-08-12 19:09 <DIR> d-------- C:\Program Files\RegScrubXP
2008-07-23 11:30 . 2008-07-23 11:30 <DIR> d-------- C:\Deckard
2008-07-23 11:12 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-23 11:11 . 2008-07-23 11:11 <DIR> d-------- C:\Program Files\Panda Security
2008-07-20 21:31 . 2008-07-23 11:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-20 21:31 . 2008-07-20 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 03:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-08-14 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-08-14 02:59 --------- d-----w C:\Program Files\ENDFORCE
2008-08-14 02:43 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-14 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 02:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 19:43 --------- d-----w C:\Program Files\oneworldflights
2008-08-07 00:05 --------- d-----w C:\Program Files\NCR
2008-07-25 19:16 --------- d-----w C:\Documents and Settings\sw185041\Application Data\uTorrent
2008-07-25 12:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 15:22 --------- d-----w C:\Program Files\Google
2008-07-23 20:20 --------- d-----w C:\Documents and Settings\sw185041\Application Data\VMware
2008-07-23 17:48 --------- d-----w C:\Documents and Settings\sw185041\Application Data\Yahoo!
2008-07-23 15:57 --------- d-----w C:\Program Files\Yahoo!
2008-07-21 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-21 01:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-18 18:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-07-07 23:20 --------- d-----w C:\Program Files\Add-in Express
2008-01-29 23:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Simp"="C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe" [2007-08-28 19:29 2150400]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-06-19 12:51 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 22:00 344064]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 18:24 684032]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 09:04 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"NCR-Netmeeting Check"="C:\WINDOWS\NMTRepair.EXE" [2006-01-03 14:41 164258]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
"OfficeScanNT Monitor"="C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 19:20 356429]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 18:26 217088]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [2007-05-01 22:46 56112]
"ENDFORCEAgent"="C:\Program Files\ENDFORCE\AgntTray.exe" [2007-06-27 23:35 1650688]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-24 10:22 29744]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2008-05-01 22:06 33280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\sw185041\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 17:34:48 3746856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 11:11:42 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-06 01:25:01 24576]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-07 20:36:48 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 07:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 14:44 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 15:24 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-25 08:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"C:\\Program Files\\Secway\\SimpLite-MSN 2.2\\SimpLite-MSN.exe"=
"C:\\Documents and Settings\\sw185041\\My Documents\\My Videos\\utorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 bynetpnp;NCR Bynet Interconnect;C:\WINDOWS\system32\DRIVERS\bynetpnp.sys [2006-01-04 10:00]
R0 ncrbynet;NCR Bynet Low Latency Interface;C:\WINDOWS\system32\DRIVERS\ncrbynet.sys [2006-01-04 10:00]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 Appfilt;Appfilt;C:\WINDOWS\system32\drivers\Appfilt.sys [2007-01-25 14:11]
R1 efpktftr;ENDFORCE Quarantine Filter;C:\WINDOWS\System32\Drivers\efPktFtr.sys [2007-06-27 20:38]
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS [2007-01-30 00:43]
R2 bynet;Bynet;C:\Program Files\NCR\BYNET\blmsvc.exe [2006-01-04 10:01]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 02:50]
R2 ENDFORCE Agent API;ENDFORCE Agent API;C:\Program Files\ENDFORCE\AgentAPI.exe [2007-06-27 15:12]
R2 GtwRsrvTdmst;Teradata GTW Reserve Port;C:\Program Files\NCR\Tdat\TGTW\06.01.00.12\bin\GtwRsrvTdmst.exe [2006-01-13 14:12]
R2 ISService;Teradata Manager Service;C:\Program Files\Teradata\Teradata Manager 13.0\Bin\isservice.exe [2008-07-28 13:00]
R2 PdeinetdService;Teradata inetd Service;C:\Program Files\NCR\Tdat\PDE\06.01.00.12\bin\pdeinetd.exe [2006-03-02 07:10]
R2 PnMgr;PnMgr;C:\WINDOWS\system32\Drivers\PnMgr.sys [2008-07-01 13:21]
R2 PUTFileSvc;NCR PUT File Service;C:\Program Files\NCR\NCRput\bin\wfxrd.exe [2008-07-01 13:25]
R2 PUTJobSvc;NCR PUT Job Service;C:\Program Files\NCR\NCRput\bin\putjobd.exe [2008-07-01 13:24]
R2 PUTPortMgrSvc;NCR PUT Port Manager Service;C:\Program Files\NCR\NCRput\bin\portmgmt.exe [2008-07-01 13:24]
R3 ATTRcAppSvc;AT&T RcAppSvc;C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe [2008-03-06 16:10]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-12-19 12:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 17:46]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-12-19 12:00]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 02:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 ExtranetAccess;Contivity VPN Service;C:\Program Files\Nortel Networks\Extranet_serv.exe [2006-12-19 11:55]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-24 10:22]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-12-19 12:00]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 Pdesys;PDE Sys Driver;C:\WINDOWS\system32\drivers\pdesys.sys [2005-11-07 02:10]
S3 recond;Teradata RDBMS Initiator;C:\Program Files\NCR\Tdat\PDE\06.01.00.12\bin\recond.exe [2006-03-02 07:16]
S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2008-08-08 21:49]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);C:\WINDOWS\system32\DRIVERS\swnc8u56.sys [2007-06-27 09:41]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);C:\WINDOWS\system32\DRIVERS\swumx56.sys [2007-06-27 09:42]
S3 TdqmServerService;TQS Server;C:\Program Files\NCR\Teradata Query Scheduler 12.0\server\tdqmserv.exe [2007-08-22 01:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15ba22fe-81d3-11dc-b14b-0016ce0b2c30}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ff5f1b-64d1-11dd-b169-005056c00008}]
\Shell\AutoRun\command - E:\WIN\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6847d974-c525-11db-b11a-444553544200}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-05-23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
MSConfigStartUp-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
MSConfigStartUp-Orb - C:\Program Files\Winamp Remote\bin\OrbTray.exe
MSConfigStartUp-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\sw185041\Application Data\Mozilla\Firefox\Profiles\kzejogk7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 22:45:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [3664] 0x86191628

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Secway\SimpLite-MSN 2.2\Plugins\WinsockHookDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Temp\NTBF0E.EXE
C:\Program Files\Common Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-13 22:55:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 03:55:33

Pre-Run: 5,240,209,408 bytes free
Post-Run: 5,160,652,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=alwaysoff /fastdetect

319

#20 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,989 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:28 AM

Posted 14 August 2008 - 09:14 AM

Hello, woodyatwork.

You sure don't give up easily! Here is the log. Thanks.


NEVER :thumbsup:

You're very welcome :)

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/topic159258-15.html
    
    suspect::[54]
    C:\WINDOWS\system32\drivers\pavboot.sys
    C:\WINDOWS\system32\drivers\Appfilt.sys
    C:\WINDOWS\system32\Drivers\PnMgr.sys
    C:\WINDOWS\system32\DRIVERS\eacfilt.sys
    C:\WINDOWS\system32\DRIVERS\gtipci21.sys
    C:\WINDOWS\system32\drivers\swmsflt.sys
    
    registry::
    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"=-
    
    file::
    C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#21 woodyatwork

woodyatwork
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 15 August 2008 - 08:54 AM

ComboFix 08-08-14.03 - sw185041 2008-08-15 8:43:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.425 [GMT -5:00]
Running from: C:\Documents and Settings\sw185041\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\sw185041\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\#SharedObjects\GDVHSN2K\interclick.com
C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\#SharedObjects\GDVHSN2K\interclick.com\ud.sol
C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\sw185041\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\sw185041\Cookies\[email protected][2].txt
C:\Documents and Settings\sw185041\Cookies\[email protected][1].txt
C:\Documents and Settings\sw185041\Cookies\sw185041@live[2].txt
C:\Documents and Settings\sw185041\Cookies\[email protected][2].txt
C:\Documents and Settings\sw185041\Cookies\sw185041@revsci[1].txt
C:\Documents and Settings\sw185041\Cookies\sw185041@teradata[1].txt
C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-13 21:06 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-08-13 21:06 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-08-13 21:06 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-08-13 21:00 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-08-13 20:52 . 2008-05-08 07:28 202,752 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-13 19:39 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-08-12 18:44 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-12 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-12 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-12 18:44 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-10 14:47 . 2008-08-11 01:58 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-10 14:41 . 2008-08-10 14:43 <DIR> d-------- C:\Program Files\Java
2008-08-10 12:56 . 2008-08-10 12:56 <DIR> d-------- C:\regsearch
2008-08-10 10:51 . 2008-08-10 10:51 <DIR> d-------- C:\_OTMoveIt
2008-08-10 10:37 . 2008-08-10 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 22:09 . 2007-06-27 09:41 101,248 -ra------ C:\WINDOWS\system32\drivers\swnc8u56.sys
2008-08-08 22:08 . 2007-06-27 09:42 73,856 -ra------ C:\WINDOWS\system32\drivers\swumx56.sys
2008-08-08 22:03 . 2008-08-08 22:03 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\AT&T
2008-08-08 22:01 . 2008-08-08 22:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
2008-08-08 21:58 . 2008-08-08 21:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Bytemobile
2008-08-08 21:57 . 2008-08-08 21:57 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\DBUpdater
2008-08-08 21:57 . 2003-09-08 14:43 89,728 --a------ C:\WINDOWS\system32\drivers\usbvsp.sys
2008-08-08 21:54 . 2008-08-08 21:49 26,504 --a------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-08-08 21:53 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-08-08 21:52 . 2008-08-08 21:52 <DIR> d-------- C:\Program Files\Common Files\Research in Motion
2008-08-08 21:52 . 2008-08-08 21:52 <DIR> d-------- C:\Program Files\AT&T
2008-08-08 21:52 . 2008-08-08 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AT&T
2008-08-08 21:51 . 2008-08-08 21:51 <DIR> d-------- C:\Program Files\Option
2008-08-08 21:50 . 2008-08-08 21:50 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\Sierra Wireless
2008-08-07 11:59 . 2008-08-07 11:59 <DIR> d-------- C:\MyWorkData
2008-08-06 13:07 . 2008-08-06 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teradata
2008-08-06 11:34 . 2008-07-01 13:21 25,600 --a------ C:\WINDOWS\system32\drivers\pnmgr.sys
2008-08-06 11:14 . 2008-08-06 11:14 <DIR> d-------- C:\td12software
2008-08-06 11:06 . 2008-08-06 11:15 267,684 --a------ C:\WINDOWS\system32\setup.inx
2008-08-06 10:35 . 2008-08-07 17:35 <DIR> d-------- C:\Program Files\Teradata
2008-08-04 14:44 . 2008-08-04 14:44 0 --a------ C:\s1f8.i8
2008-08-01 18:13 . 2008-08-13 21:49 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-30 11:52 . 2008-07-30 11:52 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\acccore
2008-07-30 11:51 . 2008-08-10 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-30 11:50 . 2008-07-30 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-30 11:49 . 2008-07-30 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-30 11:49 . 2008-07-30 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-30 11:48 . 2008-07-30 11:48 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-07-30 11:48 . 2008-07-30 11:51 <DIR> d-------- C:\Program Files\AIM6
2008-07-30 11:48 . 2008-07-30 11:51 454 --ah----- C:\IPH.PH
2008-07-30 11:19 . 2008-07-30 11:52 <DIR> d-------- C:\Program Files\Trillian
2008-07-25 11:35 . 2008-02-12 13:45 45,568 --a------ C:\WINDOWS\system32\lmdimon.dll
2008-07-25 10:54 . 2008-07-25 10:55 <DIR> d-------- C:\Documents and Settings\sw185041\Application Data\Media Player Classic
2008-07-25 10:49 . 2008-06-30 09:47 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-07-25 10:48 . 2008-07-25 10:49 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-07-25 07:21 . 2008-07-25 07:21 <DIR> d-------- C:\Program Files\TechSmith
2008-07-25 07:21 . 2008-07-25 07:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-07-24 16:58 . 2008-07-24 16:58 <DIR> d-------- C:\Program Files\ToniArts
2008-07-24 16:34 . 2008-08-12 19:09 <DIR> d-------- C:\Program Files\RegScrubXP
2008-07-23 11:30 . 2008-07-23 11:30 <DIR> d-------- C:\Deckard
2008-07-23 11:12 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-23 11:11 . 2008-07-23 11:11 <DIR> d-------- C:\Program Files\Panda Security
2008-07-20 21:31 . 2008-07-23 11:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-20 21:31 . 2008-07-20 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 12:53 --------- d-----w C:\Program Files\ENDFORCE
2008-08-14 03:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-08-14 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-08-14 02:43 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-14 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-09 02:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 19:43 --------- d-----w C:\Program Files\oneworldflights
2008-08-07 00:05 --------- d-----w C:\Program Files\NCR
2008-07-25 19:16 --------- d-----w C:\Documents and Settings\sw185041\Application Data\uTorrent
2008-07-25 12:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 15:22 --------- d-----w C:\Program Files\Google
2008-07-23 20:20 --------- d-----w C:\Documents and Settings\sw185041\Application Data\VMware
2008-07-23 17:48 --------- d-----w C:\Documents and Settings\sw185041\Application Data\Yahoo!
2008-07-23 15:57 --------- d-----w C:\Program Files\Yahoo!
2008-07-21 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-21 01:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-18 18:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-07-07 23:20 --------- d-----w C:\Program Files\Add-in Express
2008-07-05 10:14 456,192 ----a-w C:\WINDOWS\system32\libmplayer.dll
2008-07-05 10:14 3,591,168 ----a-w C:\WINDOWS\system32\libavcodec.dll
2008-07-05 10:13 708,096 ----a-w C:\WINDOWS\system32\ff_x264.dll
2008-06-22 16:34 177,664 ----a-w C:\WINDOWS\system32\ff_theora.dll
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 10:39 23,552 ----a-w C:\WINDOWS\system32\ff_wmv9.dll
2008-06-12 17:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-06-12 16:25 962,560 ----a-w C:\WINDOWS\system32\VSFilter.dll
2008-01-29 23:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Simp"="C:\Program Files\Secway\SimpLite-MSN 2.2\SimpLite-MSN.exe" [2007-08-28 19:29 2150400]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-06-19 12:51 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 22:00 344064]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 18:24 684032]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 09:04 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"NCR-Netmeeting Check"="C:\WINDOWS\NMTRepair.EXE" [2006-01-03 14:41 164258]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32 221184]
"OfficeScanNT Monitor"="C:\Program Files\Common Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 19:20 356429]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 18:26 217088]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [2007-05-01 22:46 56112]
"ENDFORCEAgent"="C:\Program Files\ENDFORCE\AgntTray.exe" [2007-06-27 23:35 1650688]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-07-24 10:22 29744]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2008-05-01 22:06 33280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\sw185041\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 17:34:48 3746856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 11:11:42 49152]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-06 01:25:01 24576]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-04-07 20:36:48 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 07:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 14:44 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 15:24 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-25 08:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"C:\\Program Files\\Secway\\SimpLite-MSN 2.2\\SimpLite-MSN.exe"=
"C:\\Documents and Settings\\sw185041\\My Documents\\My Videos\\utorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 bynetpnp;NCR Bynet Interconnect;C:\WINDOWS\system32\DRIVERS\bynetpnp.sys [2006-01-04 10:00]
R0 ncrbynet;NCR Bynet Low Latency Interface;C:\WINDOWS\system32\DRIVERS\ncrbynet.sys [2006-01-04 10:00]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 Appfilt;Appfilt;C:\WINDOWS\system32\drivers\Appfilt.sys [2007-01-25 14:11]
R1 efpktftr;ENDFORCE Quarantine Filter;C:\WINDOWS\System32\Drivers\efPktFtr.sys [2007-06-27 20:38]
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS [2007-01-30 00:43]
R2 bynet;Bynet;C:\Program Files\NCR\BYNET\blmsvc.exe [2006-01-04 10:01]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 02:50]
R2 ENDFORCE Agent API;ENDFORCE Agent API;C:\Program Files\ENDFORCE\AgentAPI.exe [2007-06-27 15:12]
R2 GtwRsrvTdmst;Teradata GTW Reserve Port;C:\Program Files\NCR\Tdat\TGTW\06.01.00.12\bin\GtwRsrvTdmst.exe [2006-01-13 14:12]
R2 ISService;Teradata Manager Service;C:\Program Files\Teradata\Teradata Manager 13.0\Bin\isservice.exe [2008-07-28 13:00]
R2 PdeinetdService;Teradata inetd Service;C:\Program Files\NCR\Tdat\PDE\06.01.00.12\bin\pdeinetd.exe [2006-03-02 07:10]
R2 PnMgr;PnMgr;C:\WINDOWS\system32\Drivers\PnMgr.sys [2008-07-01 13:21]
R2 PUTFileSvc;NCR PUT File Service;C:\Program Files\NCR\NCRput\bin\wfxrd.exe [2008-07-01 13:25]
R2 PUTJobSvc;NCR PUT Job Service;C:\Program Files\NCR\NCRput\bin\putjobd.exe [2008-07-01 13:24]
R2 PUTPortMgrSvc;NCR PUT Port Manager Service;C:\Program Files\NCR\NCRput\bin\portmgmt.exe [2008-07-01 13:24]
R3 ATTRcAppSvc;AT&T RcAppSvc;C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe [2008-03-06 16:10]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-12-19 12:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 17:46]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-12-19 12:00]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 02:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 ExtranetAccess;Contivity VPN Service;C:\Program Files\Nortel Networks\Extranet_serv.exe [2006-12-19 11:55]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-24 10:22]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-12-19 12:00]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 Pdesys;PDE Sys Driver;C:\WINDOWS\system32\drivers\pdesys.sys [2005-11-07 02:10]
S3 recond;Teradata RDBMS Initiator;C:\Program Files\NCR\Tdat\PDE\06.01.00.12\bin\recond.exe [2006-03-02 07:16]
S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2008-08-08 21:49]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);C:\WINDOWS\system32\DRIVERS\swnc8u56.sys [2007-06-27 09:41]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);C:\WINDOWS\system32\DRIVERS\swumx56.sys [2007-06-27 09:42]
S3 TdqmServerService;TQS Server;C:\Program Files\NCR\Teradata Query Scheduler 12.0\server\tdqmserv.exe [2007-08-22 01:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15ba22fe-81d3-11dc-b14b-0016ce0b2c30}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38ff5f1b-64d1-11dd-b169-005056c00008}]
\Shell\AutoRun\command - E:\WIN\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6847d974-c525-11db-b11a-444553544200}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 08:46:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-15 8:50:05
ComboFix-quarantined-files.txt 2008-08-15 13:49:00
ComboFix2.txt 2008-08-14 03:55:52

Pre-Run: 5,116,878,848 bytes free
Post-Run: 5,096,169,472 bytes free

270

#22 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,989 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:28 AM

Posted 15 August 2008 - 11:05 PM

Hello, woodyatwork.
How are things running? Are the problems still there?

I need to have us submit a file for further analysis
  • Please go to this page.
  • Where it asks you to enter the topic link, enter
    http://www.bleepingcomputer.com/forums/index.php?showtopic=159258&view=findpost&p=911660
  • Where it asks you to browse for the file to submit, copy and paste in the following:
    C:\WINDOWS\system32\Drivers\PnMgr.sys
  • Push the "Send File" button
I need to have us submit a file for further analysis
  • Please go to this page.
  • Where it asks you to enter the topic link, enter
    http://www.bleepingcomputer.com/forums/index.php?showtopic=159258&view=findpost&p=911660
  • Where it asks you to browse for the file to submit, copy and paste in the following:
    C:\WINDOWS\system32\DRIVERS\eacfilt.sys
  • Push the "Send File" button
I need to have us submit a file for further analysis
  • Please go to this page.
  • Where it asks you to enter the topic link, enter
    http://www.bleepingcomputer.com/forums/index.php?showtopic=159258&view=findpost&p=911660
  • Where it asks you to browse for the file to submit, copy and paste in the following:
    C:\WINDOWS\system32\DRIVERS\gtipci21.sys
  • Push the "Send File" button
I need to have us submit a file for further analysis
  • Please go to this page.
  • Where it asks you to enter the topic link, enter
    http://www.bleepingcomputer.com/forums/index.php?showtopic=159258&view=findpost&p=911660
  • Where it asks you to browse for the file to submit, copy and paste in the following:
    C:\WINDOWS\system32\drivers\swmsflt.sys
  • Push the "Send File" button
Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#23 woodyatwork

woodyatwork
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 16 August 2008 - 09:20 AM

I have uploaded these files.

I'll use IE for a couple days to be sure, but this morning everything appears to be working fine.

I really appreciate your help.

I have tried to sign up for the class to help you guys out, but it is always full. I'll keep trying.

Thanks.

#24 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,989 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:28 AM

Posted 16 August 2008 - 09:52 AM

Hello, woodyatwork.

I'll look to see you in there :thumbsup: Good luck!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#25 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,989 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:28 AM

Posted 18 August 2008 - 10:22 AM

Hello, woodyatwork.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users