Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 digregoriod

digregoriod

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 28 May 2009 - 09:10 PM

So I went to use my computer today and I found that most of the time I browse to a web site something happens and I am at another web site. I am being redirected. I tried to run Norton but it did not find anything and it won't let me download any updates anymore. Then I tried Malwarebytes and that did not show anything wrong. So now I am here. Below is the latest posted log from Hijack this. Any help is greatly appreciated.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:24 PM, on 5/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
c:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spb Backup\SpbBackupSync.exe
C:\Program Files\Oracle\ODrive\odrive.exe
C:\Program Files\Oracle\ODrive\ODFWAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\ddigregorio\My Documents\Visual Studio 2005\Projects\VB.NET_1\IndividualAssignment_Week4\bin\Debug\IndividualAssignment_Week4.vshost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.vocollect.int/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Vocollect, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PDDM] c:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - S-1-5-18 Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'Default user')
O4 - .DEFAULT User Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'Default user')
O4 - Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe
O4 - Global Startup: Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.tenrox
O15 - Trusted Zone: http://ebsmid1.vocollect.int
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237574576086
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237574497047
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://ebs.vocollect.int/OA_HTML/oaj2se.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vocollect.int
O17 - HKLM\Software\..\Telephony: DomainName = vocollect.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vocollect.int
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ODrive Service (OdService) - Oracle - C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
O23 - Service: ZENworks Patch Management Update (PatchLink Update) - Novell, Inc. - c:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 11691 bytes

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 28 May 2009 - 10:24 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

Please follow all my instructions in the order given. If you have any questions please ask. In that I am in training all fixes will first be reviewed by an expert coach. The advantage is "four eyes and two brains" assisting you. Unfortunately replies might be somewhat delayed so please be patient!

I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. I will see you through the duration of this fix. Please do not seek help elsewhere during this timeframe!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

**********

Let's get started.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 digregoriod

digregoriod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 28 May 2009 - 10:33 PM

ok Here is the 1st....


Logfile of random's system information tool 1.06 (written by random/random)
Run by ddigregorio at 2009-05-28 23:31:24
Microsoft Windows XP Professional Service Pack 3
System drive C: has 67 GB (70%) free of 95 GB
Total RAM: 2030 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:28 PM, on 5/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
c:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spb Backup\SpbBackupSync.exe
C:\Program Files\Oracle\ODrive\odrive.exe
C:\Program Files\Oracle\ODrive\ODFWAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\ddigregorio\My Documents\Visual Studio 2005\Projects\VB.NET_1\IndividualAssignment_Week4\bin\Debug\IndividualAssignment_Week4.vshost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\ddigregorio\Desktop\FireFox_Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\ddigregorio.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.vocollect.int/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Vocollect, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PDDM] c:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - S-1-5-18 Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'Default user')
O4 - .DEFAULT User Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'Default user')
O4 - Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe
O4 - Global Startup: Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.tenrox
O15 - Trusted Zone: http://ebsmid1.vocollect.int
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237574576086
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237574497047
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://ebs.vocollect.int/OA_HTML/oaj2se.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vocollect.int
O17 - HKLM\Software\..\Telephony: DomainName = vocollect.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vocollect.int
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ODrive Service (OdService) - Oracle - C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
O23 - Service: ZENworks Patch Management Update (PatchLink Update) - Novell, Inc. - c:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 11970 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\PMTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2}]
ODriveAdvPropHelper Class - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL [2007-12-17 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-03-20 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-20 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-12-20 125632]
"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor []
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-12-05 13549568]
"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2008-03-24 68464]
"PDDM"=c:\Program Files\PatchLink\Update Agent\pddm.exe [2007-01-25 393216]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-07-03 1323008]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-12-05 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-20 136600]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\Wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe [2003-10-24 217194]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-10-17 6144]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Spb Backup Sync.lnk - C:\Program Files\Spb Backup\SpbBackupSync.exe

C:\Documents and Settings\ddigregorio\Start Menu\Programs\Startup
Oracle Drive.lnk - C:\Program Files\Oracle\ODrive\odrive.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2006-12-20 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll [2008-06-24 95496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [2006-09-06 34344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll [2008-08-08 28672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
psqlpwd

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======File associations======

.txt - open - "C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe" "%1"

======List of files/folders created in the last 1 months======

2009-05-28 23:31:24 ----D---- C:\rsit
2009-05-28 20:55:26 ----D---- C:\Program Files\Trend Micro
2009-05-28 19:12:09 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-28 19:09:11 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-28 16:08:25 ----D---- C:\Documents and Settings\ddigregorio\Application Data\Malwarebytes
2009-05-28 15:46:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-28 15:46:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-28 14:28:08 ----D---- C:\Program Files\CCleaner
2009-05-16 09:33:20 ----A---- C:\WINDOWS\hpntwksetup.ini
2009-05-15 23:44:34 ----A---- C:\WINDOWS\system32\HPZisn12.dll
2009-05-15 23:44:34 ----A---- C:\WINDOWS\system32\HPZipt12.dll
2009-05-15 23:44:34 ----A---- C:\WINDOWS\system32\HPZipr12.dll
2009-05-15 23:44:34 ----A---- C:\WINDOWS\system32\HPZipm12.exe
2009-05-15 23:44:34 ----A---- C:\WINDOWS\system32\HPZinw12.exe
2009-05-15 23:44:34 ----A---- C:\WINDOWS\system32\HPZidr12.dll
2009-05-15 23:44:01 ----HD---- C:\Config.Msi
2009-05-15 23:41:58 ----A---- C:\WINDOWS\system32\hpzjsn01.dll
2009-05-15 23:41:34 ----D---- C:\Temp
2009-05-12 22:45:26 ----D---- C:\Documents and Settings\ddigregorio\Application Data\Amazon
2009-05-12 22:44:45 ----D---- C:\Program Files\Amazon
2009-05-06 15:00:06 ----D---- C:\Documents and Settings\All Users\Application Data\OptiPerl
2009-05-06 14:52:08 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-06 14:52:03 ----D---- C:\Documents and Settings\ddigregorio\Application Data\OptiPerl
2009-05-06 14:52:02 ----D---- C:\Program Files\OptiPerl
2009-04-30 14:44:34 ----D---- C:\Program Files\Octave

======List of files/folders modified in the last 1 months======

2009-05-28 23:14:28 ----D---- C:\WINDOWS\Temp
2009-05-28 23:00:13 ----D---- C:\WINDOWS\Prefetch
2009-05-28 20:55:26 ----RD---- C:\Program Files
2009-05-28 19:54:07 ----A---- C:\Log.txt
2009-05-28 19:17:06 ----D---- C:\WINDOWS\system32
2009-05-28 19:17:06 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-28 19:13:56 ----D---- C:\Program Files\Mozilla Firefox
2009-05-28 19:13:12 ----D---- C:\Program Files\Symantec AntiVirus
2009-05-28 19:13:02 ----D---- C:\WINDOWS
2009-05-28 19:12:06 ----SHD---- C:\WINDOWS\CSC
2009-05-28 19:07:03 ----D---- C:\WINDOWS\Debug
2009-05-28 19:07:02 ----D---- C:\WINDOWS\Minidump
2009-05-28 16:24:49 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-28 16:24:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-28 16:12:03 ----D---- C:\WINDOWS\system32\drivers
2009-05-28 15:47:30 ----SHD---- C:\WINDOWS\Installer
2009-05-28 14:09:03 ----D---- C:\WINDOWS\security
2009-05-28 14:07:53 ----D---- C:\WINDOWS\system32\Restore
2009-05-27 22:42:03 ----SHD---- C:\System Volume Information
2009-05-27 14:02:54 ----D---- C:\Documents and Settings\ddigregorio\Application Data\AdobeUM
2009-05-27 09:16:18 ----D---- C:\speechRecognition
2009-05-26 23:40:57 ----SD---- C:\Documents and Settings\ddigregorio\Application Data\Microsoft
2009-05-23 14:26:37 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-23 14:25:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-23 14:25:03 ----HD---- C:\WINDOWS\inf
2009-05-07 03:16:29 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-04 15:55:07 ----D---- C:\Perl
2009-05-04 13:12:11 ----D---- C:\Misc_Scripts

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
R1 TDFSD;TDFSD; C:\WINDOWS\System32\Drivers\TDFSD.sys [2007-12-17 941184]
R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys [2008-05-12 17844]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2008-09-25 4442]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 iPassP;iPass Protocol (IEEE 802.1x) v3.7.4.0; C:\WINDOWS\system32\DRIVERS\iPassP.sys [2008-10-17 21393]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2008-02-15 46592]
R2 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2007-07-30 43008]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2007-07-30 38400]
R2 smihlp;SMI Helper Driver (smihlp); \??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys []
R2 WNTHW;WNTHW; \??\C:\WINDOWS\system32\DRIVERS\WNTHW.SYS []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2008-04-24 308736]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2008-04-24 103424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2005-08-18 110080]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2008-01-02 252048]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-11-01 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2007-11-01 211456]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2008-08-08 23720]
R3 LenovoRd;LenovoRd; C:\WINDOWS\System32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090528.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090528.003\navex15.sys []
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-11-26 2236544]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-12-05 6620096]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-19 21376]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-14 79232]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-07-03 225664]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2008-01-30 50576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2007-11-01 731520]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 ApibUsb;APIB USB Service; C:\WINDOWS\System32\Drivers\apibusb.sys [2007-07-16 31872]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2008-08-19 47272]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-05-17 5315]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-14 11904]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-14 11008]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-14 12800]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2006-04-20 1520688]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-12-20 31424]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2008-08-08 41248]
R2 iPassPeriodicUpdateService;iPassPeriodicUpdateService; C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe [2008-05-08 98304]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-20 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-12-05 168004]
R2 OdService;ODrive Service; C:\Program Files\Oracle\ODrive\XfsSvcCon.exe [2007-12-17 33792]
R2 PatchLink Update;ZENworks Patch Management Update; c:\Program Files\PatchLink\Update Agent\GravitixService.exe [2007-01-25 81920]
R2 Power Manager DBC Service;Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-09-25 94208]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-12-20 116928]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 SUService;System Update; c:\program files\lenovo\system update\suservice.exe [2008-10-20 28672]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-12-20 1814720]
R2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-09-26 644408]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client; C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe [2009-03-24 49152]
R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2008-03-04 1122304]
R3 iPassPeriodicUpdateApp;iPassPeriodicUpdateApp; C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe [2008-05-08 155648]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPassConnectEngine;iPassConnectEngine; C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe [2008-06-12 1720320]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
and the second.....

info.txt logfile of random's system information tool 1.06 2009-05-28 23:31:30

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ActivePerl 5.10.0 Build 1004-->MsiExec.exe /I{82A27957-45D5-41BC-8593-60249895727B}
Adobe Acrobat - Reader 6.0.2 Update-->MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Standard-->MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Acrobat and Reader 6.0.3 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Amazon MP3 Downloader 1.0.3-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Apple Mobile Device Support-->MsiExec.exe /I{AFA20D47-69C3-4030-8DF8-D37466E70F13}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Audio Precision ATS 1.60 Addins-->"C:\Program Files\Audio Precision\ATS 1.60\ATS 1.60 Addins Uninstall.exe"
Audio Precision ATS 1.60-->"C:\Program Files\Audio Precision\ATS 1.60\UninstallATS.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Cisco Systems VPN Client 4.8.01.0300-->MsiExec.exe /X{D25122BC-A60E-4663-B602-B01718F12044}
CmdHere Powertoy For Windows XP-->MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
GNU Octave 3.0.1-->C:\Program Files\Octave\uninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
HP Deskjet Printer Driver Software 9.0-->C:\Program Files\HP\Digital Imaging\{E0C18BB0-32CA-4679-B422-9B9FA825378F}\setup\hpzscr01.exe -datfile hphscr15.dat -showdisconnect -forcereboot
Intel® PRO Network Connections Drivers-->Prounstl.exe
iPassConnect-->"C:\Program Files\InstallShield Installation Information\{AB6FFA58-F491-11D3-8951-000000015799}\Setup.exe" -runfromtemp -l0x0009 -removeonly
iTunes-->MsiExec.exe /I{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
Java DB 10.4.1.3-->MsiExec.exe /X{998D6972-F58E-479D-9248-8F179E55AE38}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ SE Development Kit 6 Update 11-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160110}
JGsoft EditPad Pro 6 v.6.4.5-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\EditPadPro6\Deploy.log"
LiveUpdate 3.1 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Device Emulator version 1.0 - ENU-->MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005-->C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005-->MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003-->MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools-->MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU-->C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Visual Studio 2005-->msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005-->MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
NetBeans IDE 6.5-->"C:\Program Files\NetBeans 6.5\uninstall.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
On Screen Display-->rundll32.exe "C:\Program Files\Lenovo\HOTKEY\cleanup.dll",InfUninstall DefaultUninstall.XP 132 C:\Program Files\Lenovo\HOTKEY\tphk_tp.inf
OptiPerl 5.4-->"C:\Program Files\OptiPerl\unins000.exe"
Oracle Drive 10.2.0.0.13-->MsiExec.exe /X{36526921-1CF8-4F95-92BA-85C77CB2D444}
Oracle Messenger-->"C:\Program Files\Oracle\Messenger\setup.exe" -u
Perforce Visual Components-->MsiExec.exe /I{9B6A176B-7703-47DF-8BB3-84D0BB769FD4}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {124D38C7-5BE5-4D4E-8D6D-9F10DC6B6D11} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {78DD9A0A-4AE1-46D0-B9A6-578EFCA47A3C} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Sony Sound Forge Audio Studio 9.0-->MsiExec.exe /X{20207CCE-A8FA-44A7-AA3D-1E43EB307B27}
Sparrow 2.1-->"C:\Program Files\Vocollect\Sparrow\unins000.exe"
Spb Backup 2.0-->"C:\Program Files\Spb Backup\unins000.exe"
Spb Backup-->C:\Program Files\Microsoft ActiveSync\Spb Backup\Uninstall.exe Spb Backup
Symantec AntiVirus-->MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
System Update-->MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
ThinkPad FullScreen Magnifier-->rundll32.exe "C:\Program Files\Lenovo\ZOOM\cleanup.dll",InfUninstall DefaultUninstall 132 C:\Program Files\Lenovo\Zoom\TpScrex.inf
ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588k.INF
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad UltraNav Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkVantage Fingerprint Software 5.8-->MsiExec.exe /I{9F98C9F8-9B49-411C-AFB9-AF633249FA7C}
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VNC Free Edition 4.1.3-->"C:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
ZENworks Asset Management - Client Apps-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Novell\ZENworks\Asset Management\UninstFA.isu" -c"C:\Program Files\Novell\ZENworks\Asset Management\bin\UninstCC.dll"
ZENworks Patch Management Agent-->MsiExec.exe /X{023DBB60-2689-4EFC-A2A6-4CCDB3A9A5BF}

======Security center information======

AV: Symantec AntiVirus Corporate Edition

======System event log======

Computer Name: IT-2484
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F3B683E8D. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5392
Source Name: Dhcp
Time Written: 20090512131113.000000-240
Event Type: warning
User:

Computer Name: IT-2484
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F3B683E8D. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5390
Source Name: Dhcp
Time Written: 20090512130952.000000-240
Event Type: warning
User:

Computer Name: IT-2484
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F3B683E8D. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5389
Source Name: Dhcp
Time Written: 20090512130932.000000-240
Event Type: warning
User:

Computer Name: IT-2484
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F3B683E8D. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5384
Source Name: Dhcp
Time Written: 20090512130400.000000-240
Event Type: warning
User:

Computer Name: IT-2484
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F3B683E8D. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5383
Source Name: Dhcp
Time Written: 20090512130342.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: IT-2484
Event Code: 1054
Message: Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.

Record Number: 2483
Source Name: Userenv
Time Written: 20090423221853.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: IT-2484
Event Code: 15
Message: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Record Number: 2478
Source Name: AutoEnrollment
Time Written: 20090423044907.000000-240
Event Type: error
User:

Computer Name: IT-2484
Event Code: 15
Message: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Record Number: 2477
Source Name: AutoEnrollment
Time Written: 20090422204907.000000-240
Event Type: error
User:

Computer Name: IT-2484
Event Code: 1054
Message: Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.

Record Number: 2475
Source Name: Userenv
Time Written: 20090422203619.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: IT-2484
Event Code: 1054
Message: Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.

Record Number: 2474
Source Name: Userenv
Time Written: 20090422203619.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\Vocollect\Sparrow\System;C:\Program Files\Vocollect\Sparrow\System;C:\Perl\site\bin;C:\Perl\bin;C:\Program Files\RSA SecurID Token Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Lenovo;C:\Program Files\Perforce;C:\Program Files\QuickTime\QTSystem\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"TVT"=C:\Program Files\Lenovo
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
"VS80COMNTOOLS"=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\

-----------------EOF-----------------

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 29 May 2009 - 08:45 AM

Hello again,
Let's get started.

**********

Is this a familiar process?
C:\Documents and Settings\ddigregorio\My Documents\Visual Studio 2005\Projects\VB.NET_1\IndividualAssignment_Week4\bin\Debug\IndividualAssignment_Week4.vshost.exe
How about this site?
http://intranet.vocollect.int/
**********

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

**********
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

**********

With your next post please provide:

* Answer to questions
* Goored.txt
* Gmer.log
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 digregoriod

digregoriod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 29 May 2009 - 12:24 PM

To answer the questions The 1st is my homework assignment for school. The second is the intranet server where I work

Goored

GooredFix v1.92 by jpshortstuff
Log created at 10:09 on 29/05/2009 running Option #1 (ddigregorio)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"



GMER------------------------

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-29 13:21:12
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 899C1CC8 ZwEnumerateKey
Code 899C1D00 ZwFlushInstructionCache
Code 899C1C8E IofCallDriver
Code 899C1C56 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 899C1C93
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 899C1C5B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 899C1D04
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 899C1CCC

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[364] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[472] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0063000A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[580] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0063000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A7000A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[740] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0058000A
.text ...

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kungsfkvuqoqtn.sys (*** hidden *** ) [SYSTEM] kungsfyxodnebw <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw@imagepath \systemroot\system32\drivers\kungsfkvuqoqtn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main@cmddelay 3600
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\modules@kungsfrk.sys \systemroot\system32\drivers\kungsfkvuqoqtn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\modules@kungsfcmd.dll \systemroot\system32\kungsfuccnqfuu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\modules@kungsflog.dat \systemroot\system32\kungsfxgetioaf.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\modules@kungsfwsp.dll \systemroot\system32\kungsbleepspqvu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfyxodnebw\modules@kungsf.dat \systemroot\system32\kungsfqnhkrtfr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw@imagepath \systemroot\system32\drivers\kungsfkvuqoqtn.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main@cmddelay 3600
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main\connections
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\modules
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\modules@kungsfrk.sys \systemroot\system32\drivers\kungsfkvuqoqtn.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\modules@kungsfcmd.dll \systemroot\system32\kungsfuccnqfuu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\modules@kungsflog.dat \systemroot\system32\kungsfxgetioaf.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\modules@kungsfwsp.dll \systemroot\system32\kungsbleepspqvu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfyxodnebw\modules@kungsf.dat \systemroot\system32\kungsfqnhkrtfr.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\kungsfkvuqoqtn.sys 20480 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\kungsfuccnqfuu.dll 20992 bytes executable
File C:\WINDOWS\system32\kungsbleepspqvu.dll 19968 bytes executable
File C:\WINDOWS\system32\kungsfxgetioaf.dat 167874 bytes

---- EOF - GMER 1.0.15 ----



Thanks!!!

Edited by digregoriod, 29 May 2009 - 12:25 PM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 29 May 2009 - 03:42 PM

Hi,
Found it!!!!
Hidden rootkit. Nasty little infection.

Do this......

**********

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


**********
Please run GMER again:
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

**********

With your next post please provide:

* How is the computer running now?
* Combofix.txt
* Gmer.log
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 digregoriod

digregoriod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 29 May 2009 - 07:35 PM

OK so I think you got!!!! WOW!!!! THANKS!!!!!!! :thumbup2: Here are the Files

ComboFix 09-05-29.01 - ddigregorio 05/29/2009 20:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1513 [GMT -4:00]
Running from: c:\documents and settings\ddigregorio\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\kungsfkvuqoqtn.sys
c:\windows\system32\kungsfqnhkrtfr.dat
c:\windows\system32\kungsfuccnqfuu.dll
c:\windows\system32\kungsbleepspqvu.dll
c:\windows\system32\kungsfxgetioaf.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kungsfyxodnebw


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-29 03:31 . 2009-05-29 03:31 -------- d-----w C:\rsit
2009-05-29 00:55 . 2009-05-29 00:55 -------- d-----w c:\program files\Trend Micro
2009-05-28 20:11 . 2009-05-28 20:11 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-28 20:08 . 2009-05-28 20:08 -------- d-----w c:\documents and settings\ddigregorio\Application Data\Malwarebytes
2009-05-28 19:47 . 2009-05-28 19:47 -------- d-----w c:\documents and settings\istops\Application Data\Malwarebytes
2009-05-28 19:47 . 2009-05-26 17:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-28 19:46 . 2009-05-26 17:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 19:46 . 2009-05-28 20:12 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-28 19:46 . 2009-05-28 19:46 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-28 18:28 . 2009-05-28 18:28 -------- d-----w c:\program files\CCleaner
2009-05-16 03:44 . 2004-09-29 16:15 204800 ----a-w c:\windows\system32\HPZipr12.dll
2009-05-16 03:44 . 2004-09-29 16:14 69632 ----a-w c:\windows\system32\HPZipm12.exe
2009-05-16 03:44 . 2004-09-29 16:12 278584 ----a-w c:\windows\system32\HPZidr12.dll
2009-05-16 03:44 . 2004-09-29 16:09 57344 ----a-w c:\windows\system32\HPZisn12.dll
2009-05-16 03:44 . 2004-09-29 16:09 94208 ----a-w c:\windows\system32\HPZipt12.dll
2009-05-16 03:44 . 2004-09-29 16:08 61440 ----a-w c:\windows\system32\HPZinw12.exe
2009-05-16 03:43 . 2005-12-17 05:56 17505 ------w c:\windows\hpomdl07.dat
2009-05-16 03:41 . 2005-12-17 05:56 98304 ----a-w c:\windows\system32\hpzjsn01.dll
2009-05-16 03:41 . 2009-05-16 13:33 -------- d-----w C:\Temp
2009-05-16 03:41 . 2009-05-16 13:25 -------- d-----w c:\temp\HP_WebRelease
2009-05-13 02:45 . 2009-05-13 02:45 -------- d-----w c:\documents and settings\ddigregorio\Application Data\Amazon
2009-05-13 02:44 . 2009-05-13 02:44 -------- d-----w c:\program files\Amazon
2009-05-12 14:46 . 2001-08-17 17:56 7552 -c--a-w c:\windows\system32\dllcache\sonypvu1.sys
2009-05-12 14:46 . 2001-08-17 17:56 7552 ----a-w c:\windows\system32\drivers\SONYPVU1.SYS
2009-05-12 13:41 . 2009-05-12 13:41 -------- d-----w c:\documents and settings\ddigregorio\octave
2009-05-06 19:00 . 2009-05-06 19:00 -------- d-----w c:\documents and settings\All Users\Application Data\OptiPerl
2009-05-06 18:52 . 2009-05-26 01:30 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-06 18:52 . 2009-05-06 18:52 -------- d-----w c:\documents and settings\ddigregorio\Application Data\OptiPerl
2009-05-06 18:52 . 2009-05-06 18:52 -------- d-----w c:\program files\OptiPerl
2009-04-30 18:44 . 2009-04-30 18:45 -------- d-----w c:\program files\Octave

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 00:13 . 2008-10-17 19:52 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-29 23:20 . 2008-10-17 19:14 207709 ----a-w c:\windows\system32\nvModes.dat
2009-05-27 18:02 . 2009-03-20 19:20 -------- d-----w c:\documents and settings\ddigregorio\Application Data\AdobeUM
2009-05-27 08:00 . 2009-05-28 01:12 259368 ----a-w c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2d7603.vdb\ECMSVR32.DLL
2009-05-20 08:00 . 2009-05-28 01:12 259368 ----a-w c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2d6803.vdb\ECMSVR32.DLL
2009-04-29 01:51 . 2009-04-29 01:41 121278 ----a-w c:\windows\HPHins15.dat
2009-04-29 01:50 . 2009-04-29 01:50 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-29 01:43 . 2009-04-29 01:43 -------- d-----w c:\program files\HP
2009-04-28 19:49 . 2009-04-28 19:49 -------- d-----w c:\documents and settings\All Users\Application Data\Audio Precision
2009-04-21 13:37 . 2008-10-17 19:22 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-04-21 12:35 . 2009-04-21 12:35 -------- d-----w c:\program files\iTunes
2009-04-21 12:35 . 2009-04-21 12:35 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 12:35 . 2009-04-21 12:35 -------- d-----w c:\program files\iPod
2009-04-21 12:35 . 2009-03-20 18:41 -------- d-----w c:\program files\Common Files\Apple
2009-04-21 12:32 . 2009-04-21 12:32 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-15 16:57 . 2009-04-15 16:57 -------- d-----w c:\program files\VSTplugins
2009-04-15 16:57 . 2009-04-15 16:57 -------- d-----w c:\documents and settings\ddigregorio\Application Data\Publish Providers
2009-04-15 16:55 . 2009-04-15 16:55 -------- d-----w c:\documents and settings\ddigregorio\Application Data\Sony
2009-04-15 16:55 . 2009-04-15 16:55 -------- d-----w c:\program files\Sony
2009-04-15 16:54 . 2009-04-15 16:54 -------- d-----w c:\program files\Sony Setup
2009-04-13 18:46 . 2009-04-13 18:46 -------- d-----w c:\documents and settings\ddigregorio\Application Data\Oracle RTC Messenger
2009-04-13 18:46 . 2008-10-17 20:34 -------- d-----w c:\program files\Oracle
2009-04-02 03:16 . 2009-03-20 19:45 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-02 03:11 . 2009-03-20 19:56 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-02 03:07 . 2009-04-02 03:07 -------- d-----w c:\program files\MSXML 6.0
2009-03-24 19:49 . 2009-03-20 17:59 9176 ----a-w c:\windows\system32\drivers\WNTHW.SYS
2009-03-21 02:49 . 2009-03-21 02:50 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-20 20:43 . 2009-03-20 20:43 0 ----a-w c:\windows\nsreg.dat
2009-03-20 19:54 . 2009-03-20 19:16 40496 ----a-w c:\documents and settings\ddigregorio\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-20 18:02 . 2009-03-20 18:02 39664 ----a-w c:\documents and settings\istops\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-20 18:42 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2008-04-14 12:00 826368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2008-12-08 02:18 679936 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2008-12-08 02:18 679936 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2008-12-08 02:18 679936 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-12-20 125632]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"PDDM"="c:\program files\PatchLink\Update Agent\pddm.exe" [2007-01-25 393216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-05 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-05 1630208]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Oracle Drive.lnk - c:\program files\Oracle\ODrive\odrive.exe [2007-12-17 73728]

c:\documents and settings\istops\Start Menu\Programs\Startup\
Oracle Drive.lnk - c:\program files\Oracle\ODrive\odrive.exe [2007-12-17 73728]

c:\documents and settings\ddigregorio\Start Menu\Programs\Startup\
Oracle Drive.lnk - c:\program files\Oracle\ODrive\odrive.exe [2007-12-17 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Spb Backup Sync.lnk - c:\program files\Spb Backup\SpbBackupSync.exe [2009-3-20 430080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-24 21:31 95496 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 21:37 34344 ----a-w c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-09 00:14 28672 ----a-w c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 TDFSD;TDFSD;c:\windows\system32\drivers\tdfsd.sys [12/17/2007 5:07 PM 941184]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [10/17/2008 4:25 PM 4442]
R2 OdService;ODrive Service;c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager --> c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager [?]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/17/2008 4:25 PM 94208]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 2:29 PM 116928]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [6/24/2008 5:07 PM 12560]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [3/20/2009 1:59 PM 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [3/20/2009 1:59 PM 9176]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/20/2009 12:30 PM 101936]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [6/8/2007 9:36 AM 81280]
S3 ApibUsb;APIB USB Service;c:\windows\system32\drivers\apibusb.sys [7/16/2007 12:47 PM 31872]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-10-17 05:47]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.vocollect.int/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: tenrox
Trusted Zone: vocollect.int\ebsmid1
FF - ProfilePath - c:\documents and settings\ddigregorio\Application Data\Mozilla\Firefox\Profiles\qlt59jz3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadPro6\EditPadPro.exe" "%1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1372)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\vti.dll
c:\windows\system32\XDNP.dll

- - - - - - - > 'lsass.exe'(1428)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
Completion time: 2009-05-30 20:17
ComboFix-quarantined-files.txt 2009-05-30 00:16

Pre-Run: 70,006,759,424 bytes free
Post-Run: 70,064,889,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

234 --- E O F --- 2009-05-23 20:42



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:46 PM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
c:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.vocollect.int/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - C:\WINDOWS\SYSTEM32\ODriveHelper.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PDDM] c:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - S-1-5-18 Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'Default user')
O4 - .DEFAULT User Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe (User 'Default user')
O4 - Startup: Oracle Drive.lnk = C:\Program Files\Oracle\ODrive\odrive.exe
O4 - Global Startup: Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.tenrox
O15 - Trusted Zone: http://ebsmid1.vocollect.int
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237574576086
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237574497047
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://ebs.vocollect.int/OA_HTML/oaj2se.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vocollect.int
O17 - HKLM\Software\..\Telephony: DomainName = vocollect.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vocollect.int
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ODrive Service (OdService) - Oracle - C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
O23 - Service: ZENworks Patch Management Update (PatchLink Update) - Novell, Inc. - c:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 10423 bytes



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-29 20:28:04
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\DDIGRE~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 30 May 2009 - 09:45 AM

Good job! :thumbup2:
Not done yet though.
Hang in there. We are getting closer.

Do this....

**********

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

**********

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000


Name the file as regedit.reg, making sure save as type is set to " All Files ". It should look like Posted Image
Double click on regedit.reg & allow it to run.

**********

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
**********

With your next post please provide:

* Still redirected and unable to update?
* Panda Activescan report
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 digregoriod

digregoriod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 30 May 2009 - 03:35 PM

Redirecting seemed to have stopped. I was not sure what you meant about Updating though

Here are the results from the scan...
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-05-30 16:32:43
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 8
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec AntiVirus Corporate Edition 10.1.5.5010 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\istops\Cookies\istops@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\istops\Cookies\istops@atdmt[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\istops\Cookies\istops@ad.yieldmanager[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\istops\Cookies\istops@overture[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{FFB8A8FD-2CF1-4729-8A2F-41C7158D39CC}\RP0\A0000004.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location 6I
;===================================================================================================================================================================================
No C:\Documents and Settings\ddigregorio\Desktop\ComboFix.exe[32788R22FWJFW\n.com] 6I
No C:\Documents and Settings\ddigregorio\Desktop\ComboFix.exe[32788R22FWJFW\NirCmd.cfexe] 6I
No C:\System Volume Information\_restore{FFB8A8FD-2CF1-4729-8A2F-41C7158D39CC}\RP0\A0000013.exe 6I
No C:\System Volume Information\_restore{FFB8A8FD-2CF1-4729-8A2F-41C7158D39CC}\RP0\A0000064.com 6I
No C:\System Volume Information\_restore{FFB8A8FD-2CF1-4729-8A2F-41C7158D39CC}\RP0\A0000066.com 6I
No C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsbleepspqvu.dll.vir 6I
No C:\System Volume Information\_restore{FFB8A8FD-2CF1-4729-8A2F-41C7158D39CC}\RP0\A0000003.dll 6I
No C:\WINDOWS\NIRCMD.exe 6I
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 6I
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Thanks

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 30 May 2009 - 09:58 PM

Well Done :thumbup2:

Clean log here!! The detections are for tracking cookies, quarantined items we already removed, objects in system restore that we will remove shortly and a false alarm. The next steps are very important please see them through. Particularly resetting system restore.

**********

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

**********

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

**********

We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
**********

Reset System Restore <----- IMPORTANT!!!!!
You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and enable system restore here:

Window XP


Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

**********

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  • Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Good luck & please surf safe.
Regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 digregoriod

digregoriod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 31 May 2009 - 12:31 PM

Thanks a Bunch!!!!! This was great!!!!

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 31 May 2009 - 02:21 PM

Your welcome!
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:58 AM

Posted 31 May 2009 - 03:51 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users