Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware on Work PC - XP Pro


  • This topic is locked This topic is locked
4 replies to this topic

#1 Blue Ink Alchemist

Blue Ink Alchemist

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 01 May 2009 - 02:52 PM

Greetings, all!

I've spent most of this Friday on an anti-malware crusade. It's infected my work PC pretty badly. I've run Spybot several times, and have even gone through the process of running GooredFix and Combo-Fix. Unfortunately, little problems like the AHTN desktop hijack still exist! How do I rid myself of this annoying and potentially dangerous problem?

Below you will find, in order, the contents of GooredLog.txt, Combo Fix's log, and my latest HJT log. Thank you in advance!

GooredLog.txt:
GooredFix v1.92 by jpshortstuff
Log created at 15:05 on 01/05/2009 running Option #2 (web)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{3A59CB5C-36E8-4577-9C47-689BF24679D8}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

ComboFix log.txt:
ComboFix 09-05-01.1 - web 05/01/2009 15:14.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.511.250 [GMT -4:00]
Running from: c:\documents and settings\web\Desktop\ComboFix.exe
.
[i] ADS - svchost.exe: deleted 32256 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ld08.exe
c:\windows\mqcd.dbt
c:\windows\pp06.exe
c:\windows\system32\796525
c:\windows\system32\796525\796525.dll
c:\windows\system32\ak1.exe
c:\windows\system32\ashl.nq
c:\windows\system32\azton.mt
c:\windows\system32\dl32.exe
c:\windows\system32\dolman.zt
c:\windows\system32\drivers\ovfsthtepqlmonodpulksnttolruulakvdbdra.sys
c:\windows\system32\fairy.an
c:\windows\system32\ferryl.cbv
c:\windows\system32\inqby.sr
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\loader49.exe
c:\windows\system32\nvrsk.dll
c:\windows\system32\ovfsthfyulyuxaoqmocfvrdkbiicuaijfbdtmo.dat
c:\windows\system32\ovfsthjkyufrrqhobwqdrlxfmkueqfruwpkdmy.dll
c:\windows\system32\ovfsthjkyufrrqhobwqdrlxfmkueqfruwpkdmy.dll_old
c:\windows\system32\ovfsthnfrswggvrwrpevbxsmjbwwqfvpkutpnv.dll
c:\windows\system32\ovfsthpfnsaactmftxdoyfdxnbwnndisyoioqb.dat
c:\windows\system32\ovfsthrfvxtasyrnttidfefysupvnrpyakcshk.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\prnet.tmp
c:\windows\system32\sjg9s8guigjs.dll
c:\windows\system32\yhs783ijfo3fe.dll

[color=blue]Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected 
Restored copy from - The cat ate it :)[/COLOR]
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthiwipxbrqlxwprrwoncpjrwqwgixmycpe
-------\Legacy_fci
-------\Service_FCI


(((((((((((((((((((((((((   Files Created from 2009-04-01 to 2009-05-01  )))))))))))))))))))))))))))))))
.

2009-05-01 18:10 . 2009-05-01 18:10	--------	d-----w	c:\program files\Trend Micro
2009-04-30 20:09 . 2009-05-01 17:40	0	----a-w	c:\windows\system32\drivers\a0e0263e.sys
2009-04-30 20:08 . 2009-04-30 20:08	101888	----a-w	C:\wwmeoblk.exe
2009-04-30 20:08 . 2009-04-30 20:08	705	----a-w	C:\pdtivk.exe
2009-04-30 20:08 . 2009-04-30 20:08	7680	----a-w	C:\celkadaa.exe
2009-04-30 20:08 . 2009-04-30 20:08	113664	----a-w	C:\kggi.exe
2009-04-16 15:55 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 19:17 . 2008-04-14 12:00	578560	----a-w	c:\windows\system32\user32.dll
2009-05-01 19:14 . 2008-04-14 12:00	182656	----a-w	c:\windows\system32\drivers\ndis.sys
2009-04-30 20:22 . 2008-12-01 14:37	--------	d-----w	c:\program files\Spybot - Search & Destroy
2009-04-30 20:08 . 2008-04-14 12:00	14336	----a-w	c:\windows\system32\svchost.exe
2009-04-30 20:08 . 2009-01-30 20:08	51712	--sha-w	c:\windows\system32\hawivobi.exe
2009-03-26 13:50 . 2008-10-02 13:41	55416	----a-w	c:\documents and settings\web\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 13:50 . 2008-10-09 16:52	--------	d-----w	c:\program files\Windows Live
2009-03-26 13:38 . 2009-03-26 13:38	--------	d-----w	c:\program files\Microsoft
2009-03-26 13:37 . 2009-03-26 13:37	--------	d-----w	c:\program files\Windows Live SkyDrive
2009-03-26 13:31 . 2009-03-26 13:31	--------	d-----w	c:\program files\Common Files\Windows Live
2009-03-24 13:16 . 2009-03-23 16:10	--------	d-----w	c:\program files\NOS
2009-03-23 16:27 . 2009-03-23 16:27	--------	d-----w	c:\program files\Common Files\Adobe AIR
2009-03-23 16:24 . 2008-10-01 15:35	--------	d-----w	c:\program files\Common Files\Adobe
2009-03-17 19:12 . 2008-11-28 14:10	--------	d-----w	c:\program files\Notepad++
2009-03-06 14:22 . 2008-04-14 12:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2008-04-14 12:00	826368	----a-w	c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-14 12:00	78336	----a-w	c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2008-04-14 12:00	729088	----a-w	c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-14 12:00	714752	----a-w	c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-04-14 12:00	617472	----a-w	c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-14 12:00	401408	----a-w	c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-04-14 12:00	1846784	----a-w	c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-04-14 00:01	2066048	----a-w	c:\windows\system32\ntkrnlpa.exe
2009-02-06 22:52 . 2009-02-06 22:52	49504	----a-w	c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2008-04-14 12:00	110592	----a-w	c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-04-14 12:00	2189056	----a-w	c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2008-04-14 12:00	35328	----a-w	c:\windows\system32\sc.exe
2009-02-03 19:59 . 2008-04-14 12:00	56832	----a-w	c:\windows\system32\secur32.dll
2008-12-17 19:04 . 2008-12-17 19:04	44360	----a-w	c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-17 19:04 . 2008-12-17 19:04	107936	----a-w	c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-01-30 20:00 . 2009-01-30 20:00	49152	--sha-w	c:\windows\system32\hofegope.dll.vir
.
[color=blue]Infected c:\windows\system32\user32.dll hex repaired[/color]


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-01 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]

c:\documents and settings\web\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 a0e0263e;a0e0263e;c:\windows\System32\drivers\a0e0263e.sys [2009-05-01 0]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\web\Application Data\Mozilla\Firefox\Profiles\ucatwbou.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sportsnetwork.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 15:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-725345543-1606980848-1484\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3840)
c:\windows\system32\nview.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NavNT\defwatch.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\MSGSYS.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-05-01 15:34 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-01 19:34

Pre-Run: 78,967,713,792 bytes free
Post-Run: 79,153,541,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

203	--- E O F ---	2009-04-30 07:01

HiJackThis.log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:13 PM, on 5/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sportsnetwork.com
O17 - HKLM\Software\..\Telephony: DomainName = sportsnetwork.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sportsnetwork.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sportsnetwork.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7733 bytes

:thumbsup: It's a lot of info, I know, and I reiterate my thanks...

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:18 PM

Posted 01 May 2009 - 03:00 PM

Work computer?

Are you the IT support for yourself?

Do you have an IT department?

Louis

#3 Blue Ink Alchemist

Blue Ink Alchemist
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 01 May 2009 - 03:03 PM

Work computer?

Are you the IT support for yourself?

Do you have an IT department?

Louis


Louis,

I do, but the one person who qualifies as our IT department is busy with the MarioForever virus that refuses to leave our system alone.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:18 PM

Posted 01 May 2009 - 04:17 PM

Well...the problem that I have with suggesting that unauthorized personnel tamper with enterprise computers...is that such completely undermines the efforts/intents of having an IT dept.

Company property should be handled via company channels, in my world.

I don't believe it's realistic to encourage users of such to treat the limitations of their use of such systems...lightly.

Louis

#5 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:05:18 PM

Posted 01 May 2009 - 08:11 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I infected? What do I do? forum, explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users