Sinowal infection; Google and Bing redirection in IE8 and Firefox

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Sinowal infection; Google and Bing redirection in IE8 and Firefox Assistance with removal

#1 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 14 July 2011 - 02:36 AM

Hi, I am infected with Sinowal MBRvirus which is causing Google and Bing search results links to redirect to various advertising sites. Surprisingly, Sophos (autoupdate 10min intervals) has not detected this. We have a Sonicwall firewall on the network; other details as per log below. I would appreciate some assistance with the removal of the virus, please.

Regards,
MattS

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by MattS at 13:05:25 on 2011-07-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.434 [GMT 10:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
============== Running Processes ================
.
E:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Sophos\AutoUpdate\almon.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\PROGRESS\bin\AdmSrvc.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\PROGRA~1\MICROS~4\rapimgr.exe
E:\WINDOWS\system32\cisvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
E:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\PROGRESS\jre\bin\java.exe
E:\Program Files\Sophos\AutoUpdate\ALsvc.exe
E:\Program Files\Sophos\Remote Management System\RouterNT.exe
E:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
E:\WINDOWS\system32\SearchIndexer.exe
E:\WINDOWS\System32\alg.exe
C:\Program Files\PROGRESS\jre\bin\java.exe
E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
E:\PROGRA~1\COMPON~1\CS-RCS\System\csrcssrv.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\SearchFilterHost.exe
E:\WINDOWS\system32\SearchProtocolHost.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k NetworkService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\System32\svchost.exe -k Akamai
E:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://image.bizit.com.au/images/AusBrkBulk/login.asp
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - e:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] e:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "e:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "e:\program files\microsoft activesync\Wcescomm.exe"
mRun: [Sophos AutoUpdate Monitor] e:\program files\sophos\autoupdate\almon.exe
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - e:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Web Capture - e:\program files\smarthru office\WebCapture.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\program files\microsoft activesync\INetRepl.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245127871225
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245634852839
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.208.14 203.8.183.1
TCP: Interfaces\{132931AB-F7BE-490E-8CF2-7BB01DC970D2} : DHCPNameServer = 192.168.208.14 203.8.183.1
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - e:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "e:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "e:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\matts\application data\mozilla\firefox\profiles\awiz02g4.default\
FF - prefs.js: browser.startup.homepage - hxxp://image.bizit.com.au/images/AusBrkBulk/login.asp
FF - plugin: e:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccessControl;SAVOnAccessControl;e:\windows\system32\drivers\savonaccesscontrol.sys [2009-6-16 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;e:\windows\system32\drivers\savonaccessfilter.sys [2009-6-16 24064]
R2 AdminService9.1D;AdminService for PROGRESS 9.1D;c:\program files\progress\bin\admsrvc.exe [2005-7-6 20480]
R2 Akamai;Akamai NetSession Interface;e:\windows\system32\svchost.exe -k Akamai [2007-7-27 14336]
R2 SAVAdminService;Sophos Anti-Virus status reporter;e:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-3-25 163056]
R2 SAVService;Sophos Anti-Virus;e:\program files\sophos\sophos anti-virus\SavService.exe [2011-3-25 97520]
R2 Sophos Agent;Sophos Agent;e:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-3-29 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;e:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;e:\program files\sophos\remote management system\RouterNT.exe [2011-3-29 806912]
R2 swi_service;Sophos Web Intelligence Service;e:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-3-25 1541360]
R3 es1969;ESS 1969 Audio Driver (WDM);e:\windows\system32\drivers\es1969.sys [2009-6-17 72704]
R3 xcpip;TCP/IP Protocol Driver;e:\windows\system32\drivers\xcpip.sys --> e:\windows\system32\drivers\xcpip.sys [?]
R3 xpsec;IPSEC driver;e:\windows\system32\drivers\xpsec.sys --> e:\windows\system32\drivers\xpsec.sys [?]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-10-18 136176]
S2 SSPORT;SSPORT;\??\e:\windows\system32\drivers\ssport.sys --> e:\windows\system32\drivers\SSPORT.sys [?]
S3 B-Service;B-Service;e:\documents and settings\matts\local settings\temporary internet files\content.ie5\fbom80h4\b-service.exe --> e:\documents and settings\matts\local settings\temporary internet files\content.ie5\fbom80h4\B-Service.exe [?]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\google\update\GoogleUpdate.exe [2010-10-18 136176]
S3 ProService9.1D;ProService for 9.1D;c:\program files\progress\bin\prosrvc.exe [2005-7-6 126976]
S3 sdcfilter;sdcfilter;e:\windows\system32\drivers\sdcfilter.sys [2011-3-25 23928]
S4 SophosBootDriver;SophosBootDriver;e:\windows\system32\drivers\SophosBootDriver.sys [2009-6-16 14976]
.
=============== Created Last 30 ================
.
2011-07-13 02:22:07 -------- d-----w- e:\windows\system32\NtmsData
2011-07-11 00:54:26 462848 ----a-w- e:\windows\system32\providorduaqhn.dll
2011-06-21 05:18:24 73728 ----a-w- e:\windows\system32\javacpl.cpl
2011-06-21 05:18:24 476904 ----a-w- e:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-06-21 05:18:24 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-06-21 01:10:00 -------- d-----w- E:\OE102b
2011-06-17 02:01:31 105472 -c----w- e:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-06-23 02:39:32 404640 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- e:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- e:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- e:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- e:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- e:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- e:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- e:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- e:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- e:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- e:\windows\system32\drivers\mup.sys
.
============= FINISH: 13:06:31.84 ===============

Attached File(s)

attach.txt (12.55K)
Number of downloads: 0
ark.txt (32.58K)
Number of downloads: 0

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 July 2011 - 11:51 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

.logs from DDS
log from RKUnHooker
let me know of any problems you may have had

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 19 July 2011 - 08:43 PM

Hi Gringo,

Thanks for the reply and your assistance. In adition to previous problems, I have been informed by financial institutions that they have detected malware from my computer. Internet account access has been disabled, and I had already changed all passwords from another computer. The system log in Event Viewer also appears to have been cleared. The results:

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by MattS at 11:20:10 on 2011-07-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.464 [GMT 10:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
============== Running Processes ================
.
E:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
E:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PROGRESS\bin\AdmSrvc.exe
E:\WINDOWS\system32\cisvc.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\PROGRESS\jre\bin\java.exe
E:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
E:\Program Files\Sophos\AutoUpdate\ALsvc.exe
E:\Program Files\Sophos\Remote Management System\RouterNT.exe
E:\Program Files\Sophos\AutoUpdate\almon.exe
E:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
E:\WINDOWS\system32\SearchIndexer.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\PROGRA~1\MICROS~4\rapimgr.exe
E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
E:\WINDOWS\System32\alg.exe
E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\PROGRESS\jre\bin\java.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\SearchProtocolHost.exe
E:\WINDOWS\system32\SearchFilterHost.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k NetworkService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\System32\svchost.exe -k Akamai
E:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://image.bizit.com.au/images/AusBrkBulk/login.asp
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - e:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - e:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] e:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "e:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "e:\program files\microsoft activesync\Wcescomm.exe"
mRun: [Sophos AutoUpdate Monitor] e:\program files\sophos\autoupdate\almon.exe
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - e:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - e:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Web Capture - e:\program files\smarthru office\WebCapture.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\program files\microsoft activesync\INetRepl.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245127871225
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245634852839
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.208.14 203.8.183.1
TCP: Interfaces\{132931AB-F7BE-490E-8CF2-7BB01DC970D2} : DHCPNameServer = 192.168.208.14 203.8.183.1
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - e:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "e:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "e:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\matts\application data\mozilla\firefox\profiles\awiz02g4.default\
FF - prefs.js: browser.startup.homepage - hxxp://image.bizit.com.au/images/AusBrkBulk/login.asp
FF - plugin: e:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccessControl;SAVOnAccessControl;e:\windows\system32\drivers\savonaccesscontrol.sys [2009-6-16 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;e:\windows\system32\drivers\savonaccessfilter.sys [2009-6-16 24064]
R2 AdminService9.1D;AdminService for PROGRESS 9.1D;c:\program files\progress\bin\admsrvc.exe [2005-7-6 20480]
R2 Akamai;Akamai NetSession Interface;e:\windows\system32\svchost.exe -k Akamai [2007-7-27 14336]
R2 SAVAdminService;Sophos Anti-Virus status reporter;e:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-3-25 163056]
R2 SAVService;Sophos Anti-Virus;e:\program files\sophos\sophos anti-virus\SavService.exe [2011-3-25 97520]
R2 Sophos Agent;Sophos Agent;e:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-3-29 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;e:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;e:\program files\sophos\remote management system\RouterNT.exe [2011-3-29 806912]
R2 swi_service;Sophos Web Intelligence Service;e:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-3-25 1541360]
R3 es1969;ESS 1969 Audio Driver (WDM);e:\windows\system32\drivers\es1969.sys [2009-6-17 72704]
R3 xcpip;TCP/IP Protocol Driver;e:\windows\system32\drivers\xcpip.sys --> e:\windows\system32\drivers\xcpip.sys [?]
R3 xpsec;IPSEC driver;e:\windows\system32\drivers\xpsec.sys --> e:\windows\system32\drivers\xpsec.sys [?]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-10-18 136176]
S2 SSPORT;SSPORT;\??\e:\windows\system32\drivers\ssport.sys --> e:\windows\system32\drivers\SSPORT.sys [?]
S3 B-Service;B-Service;e:\documents and settings\matts\local settings\temporary internet files\content.ie5\fbom80h4\b-service.exe --> e:\documents and settings\matts\local settings\temporary internet files\content.ie5\fbom80h4\B-Service.exe [?]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\google\update\GoogleUpdate.exe [2010-10-18 136176]
S3 ProService9.1D;ProService for 9.1D;c:\program files\progress\bin\prosrvc.exe [2005-7-6 126976]
S3 sdcfilter;sdcfilter;e:\windows\system32\drivers\sdcfilter.sys [2011-3-25 23928]
S4 SophosBootDriver;SophosBootDriver;e:\windows\system32\drivers\SophosBootDriver.sys [2009-6-16 14976]
.
=============== Created Last 30 ================
.
2011-07-13 02:22:07 -------- d-----w- e:\windows\system32\NtmsData
2011-07-11 00:54:26 462848 ----a-w- e:\windows\system32\providorduaqhn.dll
2011-06-21 05:18:24 73728 ----a-w- e:\windows\system32\javacpl.cpl
2011-06-21 05:18:24 476904 ----a-w- e:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-06-21 05:18:24 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-06-21 01:10:00 -------- d-----w- E:\OE102b
.
==================== Find3M ====================
.
2011-06-23 02:39:32 404640 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- e:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- e:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- e:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- e:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- e:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- e:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- e:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- e:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- e:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- e:\windows\system32\drivers\mup.sys
.
============= FINISH: 11:21:15.29 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-07-14.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 16/06/2009 3:00:54 PM
System Uptime: 20/07/2011 10:45:56 AM (1 hours ago)
.
Motherboard: Giga-Byte Technology Co., LTD | | 8IDML
Processor: Intel® Pentium® 4 CPU 1.60GHz | Socket 478 | 1600/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (FAT32) - 75 GiB total, 22.305 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 75 GiB total, 40.595 GiB free.
N: is NetworkDisk (NTFS) - 59 GiB total, 27.483 GiB free.
O: is NetworkDisk (NTFS) - 117 GiB total, 21.665 GiB free.
P: is NetworkDisk (NTFS) - 53 GiB total, 27.958 GiB free.
R: is NetworkDisk (NTFS) - 59 GiB total, 27.483 GiB free.
S: is NetworkDisk (NTFS) - 37 GiB total, 21.009 GiB free.
T: is NetworkDisk (NTFS) - 39 GiB total, 26.318 GiB free.
U: is NetworkDisk (NTFS) - 39 GiB total, 26.318 GiB free.
V: is NetworkDisk (NTFS) - 427 GiB total, 357.163 GiB free.
W: is NetworkDisk (NTFS) - 53 GiB total, 27.958 GiB free.
X: is NetworkDisk (NTFS) - 37 GiB total, 21.009 GiB free.
Y: is NetworkDisk (NTFS) - 12 GiB total, 2.051 GiB free.
Z: is NetworkDisk (NTFS) - 12 GiB total, 2.051 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP312: 22/06/2011 6:35:04 PM - System Checkpoint
RP313: 24/06/2011 11:02:49 AM - System Checkpoint
RP314: 29/06/2011 3:24:55 PM - System Checkpoint
RP315: 29/06/2011 6:26:16 PM - Software Distribution Service 3.0
RP316: 5/07/2011 5:01:52 PM - System Checkpoint
RP317: 7/07/2011 11:05:10 AM - System Checkpoint
RP318: 12/07/2011 1:07:51 PM - System Checkpoint
RP319: 13/07/2011 9:35:36 AM - Software Distribution Service 3.0
RP320: 13/07/2011 3:34:29 PM - Software Distribution Service 3.0
RP321: 14/07/2011 5:14:47 PM - System Checkpoint
RP322: 19/07/2011 6:57:17 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Akamai NetSession Interface
BizActiveSync
BizDespatch
Compatibility Pack for the 2007 Office system
ComponentSoftware Revision Control System (CS-RCS)
Critical Update for Windows Media Player 11 (KB959772)
D-Link PCI Fast Ethernet Adapter
Google Earth
Google Update Helper
GoToMeeting 4.7.0.595
Hackman Hex Editor
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java™ 6 Update 26
Microsoft ActiveSync
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2000 SR-1 Professional
Microsoft Office Live Meeting 2007
Microsoft Silverlight
Microsoft SQL Server 7.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox (3.5.7)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Pacific Poker
Pocket Controller-Professional
PROGRESS 9.1D
Progress 9.1D Doc & Viewer
Readiris Pro 10
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sophos Anti-Virus
Sophos AutoUpdate
Sophos Remote Management System
TeamViewer 6
TextPad 4.7
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Grep 2.3
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinMerge 2.4.4.0
WinRAR archiver
WinZip
.
==== Event Viewer Messages From Past Week ========
.
20/07/2011 9:52:21 AM, error: Service Control Manager [7034] - The Sophos Anti-Virus service terminated unexpectedly. It has done this 1 time(s).
20/07/2011 9:52:21 AM, error: SAVOnAccessControl [37] - Driver threads still active when driver is being shutdown.
20/07/2011 9:37:29 AM, error: System Error [1003] - Error code 00000077, parameter1 c000000e, parameter2 c000000e, parameter3 00000000, parameter4 0601f000.
20/07/2011 9:37:09 AM, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
20/07/2011 9:35:05 AM, error: NETLOGON [5719] - No Domain Controller is available for domain BIZCOM due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 E:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0x804D7000 E:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xF743D000 E:\WINDOWS\system32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1859584 bytes
0xBF800000 E:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF769C000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF5E71000 E:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xF5F12000 E:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7299000 E:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF601F000 E:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF4BA9000 E:\WINDOWS\system32\drivers\xcpip.sys 364544 bytes
0xF3A79000 E:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF32BD000 E:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF731F000 E:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF77E0000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF3E19000 E:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF766F000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF303A000 E:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF5FAA000 E:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF5FF7000 E:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF778A000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF5EEC000 E:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF60AB000 E:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys 155648 bytes (Sophos Plc, SAV On-access and HIPS for Windows XP (x86))
0xF5E4D000 E:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF73F3000 E:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF73AC000 E:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF73D0000 E:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF361E000 E:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xF5FD5000 E:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EF000 ACPI_HAL 131840 bytes
0x806EF000 E:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7752000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF77B0000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7655000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7772000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF5E0D000 E:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7729000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7360000 E:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF3E94000 E:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7398000 E:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7429000 E:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF6078000 E:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF4C02000 E:\WINDOWS\system32\drivers\xpsec.sys 77824 bytes
0xBF000000 E:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7417000 E:\WINDOWS\system32\drivers\es1969.sys 73728 bytes (ESS Technology Inc., ESS ES1969 PCI Audio Adapter Driver)
0xF7740000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF77CF000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF734F000 E:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF3D81000 E:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7A0F000 E:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7A2F000 E:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF79EF000 E:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7A1F000 E:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF4DDD000 E:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF78DF000 E:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF4A09000 E:\WINDOWS\system32\Drivers\DgiVecp.sys 57344 bytes (Samsung Electronics Co., Ltd., Windows 2k,XP IEEE-1284 parallel class driver for ECP, Byte, and Nibble modes)
0xF786F000 E:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7A3F000 E:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7A4F000 E:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF784F000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF794F000 E:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF7A6F000 E:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF787F000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF79FF000 E:\WINDOWS\system32\DRIVERS\dlkfet5b.sys 45056 bytes (D-Link , NDIS 5.0 miniport driver)
0xF790F000 E:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF783F000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7A5F000 E:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF782F000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF78AF000 E:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7A9F000 E:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF30E5000 E:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF785F000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF793F000 E:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7A7F000 E:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF78EF000 E:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF79DF000 E:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF791F000 E:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7BCF000 E:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7B67000 E:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7BB7000 E:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7ACF000 E:\DOCUME~1\matts\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF7BD7000 E:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF7AAF000 E:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7B6F000 E:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7B8F000 E:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7BA7000 E:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys 24576 bytes (Sophos Plc, SAV On-access and HIPS for Windows XP (x86))
0xF7B57000 E:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF7B5F000 E:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7BBF000 E:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7B97000 E:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7BC7000 E:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7AB7000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7B7F000 E:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7B87000 E:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7B77000 E:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7BE7000 E:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7D13000 E:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF4B5D000 E:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7CEB000 E:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7C3F000 E:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF60E9000 E:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7CEF000 E:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF730B000 E:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7307000 E:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7CF3000 E:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7CD3000 E:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7D61000 E:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7D35000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7D7B000 E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7D5F000 E:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7D33000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7D2F000 E:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7D63000 E:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7DBB000 E:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7D65000 E:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7D4F000 E:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7D59000 E:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7D31000 E:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7F5A000 E:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7F2D000 E:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7F59000 E:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xF7EBB000 E:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
0x862A1B9D Unknown page with executable code, 1123 bytes
0x862B8AEE Unknown page with executable code, 1298 bytes
0x862C6AB4 Unknown page with executable code, 1356 bytes
0x862A27E1 Unknown page with executable code, 2079 bytes
0x862B953E Unknown page with executable code, 2754 bytes
0x862BA4F2 Unknown page with executable code, 2830 bytes
0x862B932B Unknown page with executable code, 3285 bytes
0x86284184 Unknown page with executable code, 3708 bytes
0x862A4E8A Unknown page with executable code, 374 bytes
0x862A504F Unknown page with executable code, 4017 bytes
0x862BBD9E Unknown page with executable code, 610 bytes

Regards,

mattstur

#4 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 19 July 2011 - 10:10 PM

Hi Gringo,

I've also recently had a couple "blue screens"; the first was a"kernel_stack_inpage_error" and the second was something like "IRQ not less than or equal" (sorry, lost the exact wording). When it rebooted, I got the "Recovered from a serious error" message and selected "Send report". This was attempted to be redirected, but was blocked by our firewall.

Cheers,
mattstur

This post has been edited by mattstur: 19 July 2011 - 10:11 PM

#5 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 July 2011 - 02:33 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#6 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 20 July 2011 - 08:32 PM

Hi Gringo,

Thanks very much for your help. There were no problems when running Combofix. The redirection problem with the browsers is fixed. The computer still runs like a piece of cr@p, but that is more to do with age

).

Regards,

mattstur

ComboFix 11-07-20.05 - MattS 21/07/2011 10:30:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.542 [GMT 10:00]
Running from: e:\documents and settings\matts\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\documents and settings\matts\WINDOWS
e:\windows\system32\spool\prtprocs\w32x86\sss1mpc.dll
e:\windows\system32\test
.
.
((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))
.
.
2011-07-13 02:22 . 2011-07-13 02:22 -------- d-----w- e:\windows\system32\NtmsData
2011-07-11 00:54 . 2011-07-11 00:54 462848 ----a-w- e:\windows\system32\providorduaqhn.dll
2011-06-21 05:19 . 2011-06-21 05:19 -------- d-----w- e:\windows\Sun
2011-06-21 05:18 . 2011-06-21 05:18 -------- d-----w- e:\program files\Common Files\Java
2011-06-21 05:18 . 2011-06-21 05:18 73728 ----a-w- e:\windows\system32\javacpl.cpl
2011-06-21 05:18 . 2011-06-21 05:18 476904 ----a-w- e:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-21 05:18 . 2011-06-21 05:18 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-06-21 05:17 . 2011-06-21 05:17 -------- d-----w- e:\program files\Java
2011-06-21 01:10 . 2011-06-22 08:41 -------- d-----w- E:\OE102b
2011-06-21 00:54 . 2011-06-22 01:25 -------- d-----w- e:\documents and settings\matts\Application Data\Download Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-23 02:39 . 2011-05-18 23:37 404640 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 23:26 . 2011-06-07 23:26 5887558 ----a-w- E:\rinnai.zip
2011-06-02 14:02 . 2007-07-27 12:00 1858944 ----a-w- e:\windows\system32\win32k.sys
2011-05-02 15:31 . 2009-06-16 04:52 692736 ----a-w- e:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2007-07-27 12:00 151552 ----a-w- e:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-07-27 12:00 456320 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2007-07-27 12:00 33280 ----a-w- e:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2007-07-27 12:00 293376 ----a-w- e:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2007-07-27 12:00 916480 ----a-w- e:\windows\system32\wininet.dll
2011-04-25 16:11 . 2007-07-27 12:00 43520 ----a-w- e:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2007-07-27 12:00 1469440 ----a-w- e:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2007-07-27 12:00 385024 ----a-w- e:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="e:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sophos AutoUpdate Monitor"="e:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
e:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - e:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "e:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\program files\Microsoft ActiveSync\rapimgr.exe"= e:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"e:\program files\Microsoft ActiveSync\wcescomm.exe"= e:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"e:\program files\Microsoft ActiveSync\WCESMgr.exe"= e:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
.
R1 SAVOnAccessControl;SAVOnAccessControl;e:\windows\system32\drivers\savonaccesscontrol.sys [16/06/2009 4:28 PM 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;e:\windows\system32\drivers\savonaccessfilter.sys [16/06/2009 4:28 PM 24064]
R2 AdminService9.1D;AdminService for PROGRESS 9.1D;c:\program files\PROGRESS\bin\admsrvc.exe [6/07/2005 2:28 PM 20480]
R2 Akamai;Akamai NetSession Interface;e:\windows\System32\svchost.exe -k Akamai [27/07/2007 10:00 PM 14336]
R2 SAVAdminService;Sophos Anti-Virus status reporter;e:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [25/03/2011 4:04 PM 163056]
R2 SAVService;Sophos Anti-Virus;e:\program files\Sophos\Sophos Anti-Virus\SavService.exe [25/03/2011 4:04 PM 97520]
R2 swi_service;Sophos Web Intelligence Service;e:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [25/03/2011 4:04 PM 1541360]
R3 es1969;ESS 1969 Audio Driver (WDM);e:\windows\system32\drivers\es1969.sys [17/06/2009 12:26 AM 72704]
R3 xcpip;TCP/IP Protocol Driver;e:\windows\system32\drivers\xcpip.sys --> e:\windows\system32\drivers\xcpip.sys [?]
R3 xpsec;IPSEC driver;e:\windows\system32\drivers\xpsec.sys --> e:\windows\system32\drivers\xpsec.sys [?]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [18/10/2010 9:52 AM 136176]
S2 SSPORT;SSPORT;\??\e:\windows\system32\Drivers\SSPORT.sys --> e:\windows\system32\Drivers\SSPORT.sys [?]
S3 B-Service;B-Service;e:\documents and settings\matts\Local Settings\Temporary Internet Files\Content.IE5\FBOM80H4\B-Service.exe --> e:\documents and settings\matts\Local Settings\Temporary Internet Files\Content.IE5\FBOM80H4\B-Service.exe [?]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\Google\Update\GoogleUpdate.exe [18/10/2010 9:52 AM 136176]
S3 ProService9.1D;ProService for 9.1D;c:\program files\PROGRESS\bin\prosrvc.exe [6/07/2005 2:29 PM 126976]
S3 sdcfilter;sdcfilter;e:\windows\system32\drivers\sdcfilter.sys [25/03/2011 4:04 PM 23928]
S4 SophosBootDriver;SophosBootDriver;e:\windows\system32\drivers\SophosBootDriver.sys [16/06/2009 4:29 PM 14976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 e:\windows\Tasks\Friday Scan.job
- e:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2011-03-25 06:04]
.
2011-07-21 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 23:51]
.
2011-07-21 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 23:51]
.
2011-07-21 e:\windows\Tasks\User_Feed_Synchronization-{4A308ECF-F5C5-4327-98BC-07224B27FBA3}.job
- e:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://image.bizit.com.au/images/AusBrkBulk/login.asp
uInternet Connection Wizard,ShellNext = iexplore
IE: Web Capture - e:\program files\SmarThru Office\WebCapture.dll
TCP: DhcpNameServer = 192.168.208.14 203.8.183.1
FF - ProfilePath - e:\documents and settings\matts\Application Data\Mozilla\Firefox\Profiles\awiz02g4.default\
FF - prefs.js: browser.startup.homepage - hxxp://image.bizit.com.au/images/AusBrkBulk/login.asp
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-21 10:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"e:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(6088)
e:\windows\system32\WININET.dll
e:\progra~1\WINDOW~2\wmpband.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\PROGRESS\jre\bin\java.exe
e:\program files\Sophos\AutoUpdate\ALsvc.exe
e:\program files\Sophos\Remote Management System\RouterNT.exe
e:\windows\system32\SearchIndexer.exe
e:\progra~1\MICROS~4\rapimgr.exe
c:\program files\PROGRESS\jre\bin\java.exe
.
**************************************************************************
.
Completion time: 2011-07-21 10:59:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-21 00:59
.
Pre-Run: 43,125,805,056 bytes free
Post-Run: 44,238,712,832 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8B8849E123FF738FC07F527FCD2AF355

Attached File(s)

ComboFix.txt (10.78K)
Number of downloads: 1

This post has been edited by gringo_pr: 20 July 2011 - 08:39 PM

#7 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 July 2011 - 08:40 PM

HelpAsst_mebroot_fix

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
- helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

<-- Don't worry every little bit helps.

#8 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 20 July 2011 - 09:25 PM

Latest result:

E:\Documents and Settings\matts\Desktop\HelpAsst_mebroot_fix.exe
Thu 21/07/2011 at 11:58:28.16

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 21/07/2011 at 12:20:14.22

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

Regards,
mattstur

#9 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 July 2011 - 09:31 PM

very good - now I need you to rerun combofix for me

gringo

<-- Don't worry every little bit helps.

#10 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 20 July 2011 - 10:16 PM

Hi Gringo,

Combofix log attached. No problems when running.

Cheers,
mattstur

Attached File(s)

ComboFix.txt (9.78K)
Number of downloads: 6

#11 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 22 July 2011 - 02:52 AM

Hello

Cleanup helpasst

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

helpasst -cleanup

click ok

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Malwarebytes' Anti-Malware

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#12 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 22 July 2011 - 04:33 AM

Hi Gringo,

I wasn't offered either of the following options when running Malwarebytes:

•When the scan is complete, click OK, then Show Results to view the results.

•Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.

It simply popped up with the log, below, in notepad.

While it was running, Sophos popped up a message saying it had detected Mal/Sinowal-N virus and moved it to quarantine.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7228

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/07/2011 7:19:29 PM
mbam-log-2011-07-22 (19-19-29).txt

Scan type: Quick scan
Objects scanned: 158504
Time elapsed: 7 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:46:59 PM, on 22/07/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PROGRESS\bin\AdmSrvc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
E:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
E:\Program Files\Sophos\AutoUpdate\ALsvc.exe
E:\Program Files\Sophos\Remote Management System\RouterNT.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\PROGRESS\jre\bin\java.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Sophos\AutoUpdate\almon.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\Microsoft ActiveSync\Wcescomm.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\PROGRESS\jre\bin\java.exe
E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\COMPON~1\CS-RCS\System\csrcssrv.exe
E:\WINDOWS\system32\freecell.exe
E:\WINDOWS\system32\msiexec.exe
E:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
E:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://image.bizit.com.au/images/AusBrkBulk/login.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - E:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] E:\Program Files\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Capture - E:\Program Files\SmarThru Office\WebCapture.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - https://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245127871225
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245634852839
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.bizit.com.au
O17 - HKLM\Software\..\Telephony: DomainName = internal.bizit.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.bizit.com.au
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll
O23 - Service: AdminService for PROGRESS 9.1D (AdminService9.1D) - Unknown owner - C:\Program Files\PROGRESS\bin\AdmSrvc.exe
O23 - Service: B-Service - Unknown owner - E:\Documents and Settings\matts\Local Settings\Temporary Internet Files\Content.IE5\FBOM80H4\B-Service.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProService for 9.1D (ProService9.1D) - Progress Software - C:\Program Files\PROGRESS\bin\ProSrvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - E:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - E:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - E:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - E:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - E:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - E:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

--
End of file - 7777 bytes

This post has been edited by mattstur: 22 July 2011 - 04:48 AM

#13 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 22 July 2011 - 05:26 AM

Hi Gringo,

Will be offline for 60hrs.

Regards,
mattstur

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,515
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 22 July 2011 - 04:04 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brakets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the activex control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

#15 mattstur

New Member

Group: Members
Posts: 11
Joined: 13-July 11

Posted 25 July 2011 - 12:53 AM

Hey Gringo,

Ran ESET with following results:

C:\WINDOWS\Temporary Internet Files\Content.IE5\UTS72PE5\banner[1].html HTML/ScrInject.B.Gen virus
C:\System Volume Information\_restore{26AB9FC4-FE59-499E-9600-591197ABD0C0}\RP317\A0759260.exe Win32/Jep.Russ joke
E:\WINDOWS\system32\providorduaqhn.dll a variant of Win32/Kryptik.QOY trojan

Cheers,
mattstur