Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Browser, Started with a Dropper


  • This topic is locked This topic is locked
15 replies to this topic

#1 SunnSurf

SunnSurf

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 11 January 2010 - 02:22 AM


I was on a site that I was redirected to by accident and I think that it loaded some bad stuff in my computer. At first many ads were popping up and so I ran the antivirus prog on my computer, Symantec, as well as Ad-Aware. It said that it found a "Dropper
but it seems to only eliminate some of the problem. When I go to google and try to look up security solutions it redirects me to similar sites, but not the site I am looking for. Something is controolling my browser. Webroot , Ad-Aware and HiJack can't seem to find any problems, but it is still happening....
Thanks for your help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by cmanca at 17:12:04.03 on Sun 01/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1978.1128 [GMT -8:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\Ati2evxx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\History Sweeper\sweeper.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\cmanca\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://sa.juniper.net/dana/home/index.cgi
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Juniper Networks
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Taskman=c:\documents and settings\temp\application data\ufxw.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: gwprimawega: {f24e071b-017a-cf85-ed9d-87016347d734} - c:\windows\system32\6J2CA6bJ-rC4.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Sweeper.exe] c:\program files\history sweeper\sweeper.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [OdTray.exe] "c:\program files\juniper networks\odyssey access client\OdTray.exe"
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\cmanca\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoPublishingWizard = 1 (0x1)
uPolicies-explorer: NoWebServices = 1 (0x1)
uPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 300 (0x12c)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261976476656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {BDCBB757-CE6C-4C87-BE97-982DAE596048} - hxxp://crm.juniper.net/htim_enu/20412/applets/SiebelAx_HI_Client.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sa.juniper.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OdysseyClient - odyEvent.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cmanca\applic~1\mozilla\firefox\profiles\mgcho012.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [2009-12-1 277032]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2008-6-3 254208]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-6-10 19496]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2009-12-1 17584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2009-7-8 13480]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-23 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-23 108392]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-12-20 83320]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-12-21 53248]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-10-23 2477304]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2009-11-2 62320]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-12-22 239760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-1 102448]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2007-10-4 390528]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [2007-10-4 29312]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100109.006\NAVENG.SYS [2010-1-10 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100109.006\NAVEX15.SYS [2010-1-10 1323568]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-11-2 45424]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-23 23888]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2008-6-3 116008]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-1-6 30192]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-12-1 22448]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2009-12-1 29232]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2010-01-11 00:58:38 0 d-----w- c:\program files\TrendMicro
2010-01-09 21:20:03 0 d-----w- c:\program files\History Sweeper
2010-01-09 05:18:32 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-01-09 05:18:30 0 d-----w- c:\program files\IObit
2010-01-09 03:29:34 0 dc-h--w- c:\docume~1\alluse~1\applic~1\~0
2010-01-08 05:20:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-07 22:13:07 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-07 05:51:45 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-07 05:51:45 0 d-----w- c:\documents and settings\cmanca\log
2010-01-07 05:47:32 0 d-----w- c:\program files\Trend Micro
2010-01-07 03:33:38 0 d-----w- c:\program files\MSXML 4.0
2010-01-07 02:48:26 0 d--h--w- c:\windows\PIF
2010-01-07 02:36:00 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-07 02:26:19 0 d-----w- c:\program files\MSSOAP
2010-01-07 02:26:01 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-07 02:26:01 0 d-----w- c:\program files\Webroot
2010-01-07 02:26:01 0 d-----w- c:\docume~1\cmanca\applic~1\Webroot
2010-01-07 02:26:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-01-07 02:25:36 164 ----a-w- c:\windows\install.dat
2010-01-07 01:34:30 118256 ----a-w- c:\windows\system32\fMr7EWc-dg8.exe
2010-01-04 16:05:34 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-01-04 16:05:34 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-01-02 00:38:54 0 d-----w- c:\docume~1\cmanca\applic~1\Windows Search
2009-12-28 23:07:07 0 d-----w- c:\program files\VideoLAN
2009-12-28 05:16:22 0 d-----w- c:\documents and settings\cmanca\Tracing
2009-12-28 05:15:45 0 d-----w- c:\program files\Microsoft
2009-12-28 05:15:28 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-28 05:12:37 0 d-----w- c:\program files\common files\Windows Live
2009-12-28 05:01:45 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-12-26 17:31:53 0 d-----w- c:\docume~1\cmanca\applic~1\mIRC
2009-12-26 04:42:08 1175552 ----a-w- c:\windows\system32\6J2CA6bJ-rC4.dll
2009-12-24 00:11:05 60744 ----a-w- c:\documents and settings\cmanca\g2mdlhlpx.exe
2009-12-23 14:32:15 0 d-----w- c:\docume~1\cmanca\applic~1\TrueCrypt
2009-12-23 03:15:13 0 d-sh--w- c:\documents and settings\cmanca\UserData
2009-12-23 03:12:28 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-12-23 03:12:28 0 d-----w- c:\docume~1\alluse~1\applic~1\TrueCrypt
2009-12-23 03:12:27 0 d-----w- c:\program files\TrueCrypt
2009-12-22 21:20:22 0 d-----w- c:\windows\system32\appmgmt
2009-12-22 20:13:13 0 d-----w- c:\program files\Enterprise Vault
2009-12-22 20:08:55 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
2009-12-22 20:08:40 0 d-----w- c:\docume~1\cmanca\applic~1\Juniper Networks
2009-12-22 20:04:44 0 d-----w- c:\program files\Yahoo!
2009-12-22 19:42:10 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-22 19:42:10 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-22 19:42:08 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-12-22 19:42:08 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-22 18:22:47 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-12-22 18:22:22 0 d-----w- c:\program files\CONEXANT
2009-12-22 18:21:54 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2009-12-22 17:24:47 0 d-----w- C:\lexmark
2009-12-22 17:23:33 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-12-22 05:12:30 0 d-----w- c:\program files\Juniper Shared Office Files
2009-12-22 05:11:55 0 d-----w- c:\windows\system32\VPCache
2009-12-22 03:46:52 3251 ----a-w- c:\windows\system32\wbem\Outlook_01ca82b96626a2ce.mof
2009-12-22 03:46:32 0 d-----w- c:\docume~1\cmanca\applic~1\Funk Software
2009-12-22 03:46:04 0 d-----w- c:\docume~1\cmanca\applic~1\Windows Desktop Search
2009-12-22 03:45:46 0 d-----w- c:\docume~1\cmanca\applic~1\ICAClient
2009-12-22 03:43:17 0 d-----w- c:\program files\Sonic
2009-12-22 03:42:43 0 d-----w- c:\windows\system32\ReinstallBackups
2009-12-22 03:42:37 225664 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-12-22 03:42:37 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-12-22 03:42:37 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-12-22 03:42:36 200704 ----a-w- c:\windows\system32\SynCtrl.dll
2009-12-22 03:42:36 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-12-22 03:42:35 0 d-----w- c:\program files\Synaptics
2009-12-22 03:42:24 4608 ------w- c:\windows\system32\drivers\TSMAPIP.SYS
2009-12-22 03:41:25 28672 ------w- c:\windows\PWMBTHLP.EXE
2009-12-22 03:41:24 94208 ------w- c:\windows\system32\PWMCPl.cpl
2009-12-22 03:41:24 4442 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
2009-12-22 03:39:35 0 d-----w- c:\program files\Lenovo
2009-12-22 03:39:26 0 d-----w- c:\program files\ThinkPad
2009-12-22 03:37:20 222504 ----a-w- c:\windows\system32\odyGina.dll
2009-12-22 03:37:19 603432 ----a-w- c:\windows\system32\odGinaLibrary.dll
2009-12-22 03:37:19 206120 ----a-w- c:\windows\system32\odyEvent.dll
2009-12-22 03:37:14 0 d-----w- c:\program files\Juniper Networks
2009-12-22 03:37:14 0 d-----w- c:\program files\common files\Juniper Networks
2009-12-22 03:37:14 0 d-----w- c:\program files\common files\Funk Software
2009-12-22 03:37:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Juniper Networks
2009-12-22 03:37:06 82 ----a-w- c:\windows\init.ini
2009-12-22 03:34:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-22 03:34:37 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-22 03:34:37 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-22 03:34:36 0 d-----w- c:\docume~1\alluse~1\applic~1\iPass
2009-12-22 03:34:30 21393 ----a-w- c:\windows\system32\drivers\iPassP.sys
2009-12-22 03:34:29 356352 ----a-w- c:\windows\system32\iPassI5Installer.exe
2009-12-22 03:34:17 0 d-----w- c:\program files\iPass
2009-12-22 03:26:56 0 d-----w- c:\windows\SchCache
2009-12-22 03:26:51 221184 ----a-w- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2010-01-07 19:07:37 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-01 20:04:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-01 14:13:10 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-01 14:13:10 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-01 14:13:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-01 14:13:10 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-01 14:10:31 410976 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 14:11:54 258536 ----a-w- c:\windows\system32\Juniper_Screensaver_Blue.scr
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-23 12:09:00 89600 ----a-w- c:\windows\system32\atl71.dll
2009-10-23 12:09:00 87368 ----a-w- c:\windows\system32\FwsVpn.dll
2009-10-23 12:09:00 625032 ----a-w- c:\windows\system32\SymNeti.dll
2009-10-23 12:09:00 242056 ----a-w- c:\windows\system32\SymRedir.dll
2009-10-23 12:09:00 107848 ----a-w- c:\windows\system32\SymVPN.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

============= FINISH: 17:13:21.64 ===============




Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:57 AM

Posted 13 January 2010 - 03:28 PM


Hello SunnSurf smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Registry
    • Files
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 13 January 2010 - 07:39 PM

Thanks so much for your help. Here is the report you asked for....

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-13 16:23:29
Windows 5.1.2600 Service Pack 3
Running: pmqnowns.exe; Driver: C:\DOCUME~1\cmanca\LOCALS~1\Temp\pwloifow.sys


---- System - GMER 1.0.15 ----

SSDT 87AE5060 ZwAlertResumeThread
SSDT 87B42060 ZwAlertThread
SSDT 87B00560 ZwAllocateVirtualMemory
SSDT 87AF9C60 ZwConnectPort
SSDT 8A5B0A08 ZwCreateKey
SSDT 87AF8F30 ZwCreateMutant
SSDT 8A5A60F0 ZwCreateProcess
SSDT 8A5DC208 ZwCreateProcessEx
SSDT 87AF05F0 ZwCreateThread
SSDT 8A5B0990 ZwDeleteKey
SSDT 8A5A61D0 ZwDeleteValueKey
SSDT 87B42A50 ZwFreeVirtualMemory
SSDT 87AF0288 ZwImpersonateAnonymousToken
SSDT 87AE7060 ZwImpersonateThread
SSDT 87B429B0 ZwMapViewOfSection
SSDT 87B54798 ZwOpenEvent
SSDT 87AFA058 ZwOpenProcessToken
SSDT 87B42848 ZwOpenThreadToken
SSDT 8A5C1560 ZwQueueApcThread
SSDT 8A51E498 ZwReadVirtualMemory
SSDT 8A5CBF20 ZwRenameKey
SSDT 87B3CA30 ZwResumeThread
SSDT 87AEE518 ZwSetContextThread
SSDT 8A590190 ZwSetInformationKey
SSDT 87B428D8 ZwSetInformationProcess
SSDT 87B42770 ZwSetInformationThread
SSDT 8A5E23C8 ZwSetValueKey
SSDT 87AF8E68 ZwSuspendProcess
SSDT 87B01060 ZwSuspendThread
SSDT 87AED958 ZwTerminateProcess
SSDT 87B546E0 ZwTerminateThread
SSDT 87AEF5D8 ZwUnmapViewOfSection
SSDT 87B004D0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 87B6B520
Device \Driver\Tcpip \Device\Ip 88CE4C68

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp 87B6B520
Device \Driver\Tcpip \Device\Tcp 88CE4C68

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp 87B6B520
Device \Driver\Tcpip \Device\Udp 88CE4C68

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp 87B6B520
Device \Driver\Tcpip \Device\RawIp 88CE4C68

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST 87B6B520
Device \Driver\Tcpip \Device\IPMULTICAST 88CE4C68
Device -> \Driver\iaStor \Device\Harddisk0\DR0 8A4AC841

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:57 AM

Posted 13 January 2010 - 08:54 PM

Good job, now let's do this next:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 13 January 2010 - 09:45 PM

Combo fix ran. This machine is corporate so I dont have the ability to disable the Symantec Endpoint, but it seemed like it ran alright. I did not get asked about the Microsoft Recovery console, hoping that means that it is already installed..?
It left a file called log.txt which I renamed Combo.tx and it also ceadted a ComboFix.txt at C:\Combofix.tx. I posted them both, with Combofix on the top and Combo.txt below that. It may be the same , but just in case.

thx



ComboFix 10-01-13.07 - cmanca 01/13/2010 18:31:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1978.1437 [GMT -8:00]
Running from: c:\documents and settings\cmanca\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\windows\EventSystem.log

----- BITS: Possible infected sites -----

hxxp://SMSPRICORP.jnpr.net:80
hxxp://SMSPRICORP:80
Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))
.

2010-01-11 07:30 . 2010-01-11 07:30 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 07:29 . 2010-01-11 07:29 -------- d-----w- c:\documents and settings\cmanca\Application Data\Malwarebytes
2010-01-11 07:29 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-11 07:29 . 2010-01-11 07:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 07:29 . 2010-01-11 07:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-11 07:29 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-11 00:58 . 2010-01-11 00:58 388096 ----a-r- c:\documents and settings\cmanca\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-11 00:58 . 2010-01-11 00:58 -------- d-----w- c:\program files\TrendMicro
2010-01-10 18:28 . 2010-01-10 18:28 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Mozilla
2010-01-09 21:20 . 2010-01-09 21:20 -------- d-----w- c:\program files\History Sweeper
2010-01-09 05:18 . 2010-01-09 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-01-09 05:18 . 2010-01-09 05:18 -------- d-----w- c:\program files\IObit
2010-01-09 03:32 . 2010-01-09 04:09 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-09 03:29 . 2010-01-09 04:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-01-09 03:29 . 2009-12-07 14:10 2953352 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareInstallation.exe
2010-01-09 03:29 . 2010-01-09 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-08 05:20 . 2010-01-08 05:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-07 22:13 . 2008-11-10 19:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-07 22:13 . 2006-10-27 03:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-01-07 05:51 . 2010-01-07 05:51 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-07 05:51 . 2010-01-07 05:51 -------- d-----w- c:\documents and settings\cmanca\log
2010-01-07 05:47 . 2010-01-07 05:47 -------- d-----w- c:\program files\Trend Micro
2010-01-07 03:33 . 2010-01-07 03:33 -------- d-----w- c:\program files\MSXML 4.0
2010-01-07 02:48 . 2010-01-07 02:48 -------- d--h--w- c:\windows\PIF
2010-01-07 02:36 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\program files\MSSOAP
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\program files\Webroot
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\documents and settings\cmanca\Application Data\Webroot
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-01-07 02:26 . 2009-11-06 23:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-07 02:25 . 2010-01-07 02:25 164 ----a-w- c:\windows\install.dat
2010-01-07 01:34 . 2010-01-07 01:34 118256 ----a-w- c:\windows\system32\fMr7EWc-dg8.exe
2010-01-04 16:05 . 2008-04-14 08:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-01-04 16:05 . 2008-04-14 08:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-01-02 00:38 . 2010-01-02 00:38 -------- d-----w- c:\documents and settings\cmanca\Application Data\Windows Search
2009-12-28 23:08 . 2010-01-14 00:50 -------- d-----w- c:\documents and settings\cmanca\Application Data\vlc
2009-12-28 23:07 . 2009-12-28 23:07 -------- d-----w- c:\program files\VideoLAN
2009-12-28 05:16 . 2010-01-14 02:37 -------- d-----w- c:\documents and settings\cmanca\Tracing
2009-12-28 05:15 . 2009-12-28 05:15 -------- d-----w- c:\program files\Microsoft
2009-12-28 05:15 . 2009-12-28 05:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-28 05:15 . 2009-12-28 05:15 -------- d-----w- c:\program files\Windows Live
2009-12-28 05:12 . 2009-12-28 05:12 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-28 05:11 . 2009-12-28 05:11 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Microsoft Help
2009-12-26 17:31 . 2010-01-14 02:20 -------- d-----w- c:\documents and settings\cmanca\Application Data\mIRC
2009-12-24 00:11 . 2009-12-24 00:11 60744 ----a-w- c:\documents and settings\cmanca\g2mdlhlpx.exe
2009-12-24 00:10 . 2009-12-24 00:10 -------- d-----w- c:\windows\Sun
2009-12-23 14:32 . 2010-01-03 19:17 -------- d-----w- c:\documents and settings\cmanca\Application Data\TrueCrypt
2009-12-23 03:15 . 2009-12-23 03:15 -------- d-sh--w- c:\documents and settings\cmanca\UserData
2009-12-23 03:12 . 2009-12-23 03:12 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-12-23 03:12 . 2009-12-23 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TrueCrypt
2009-12-23 03:12 . 2009-12-23 14:33 -------- d-----w- c:\program files\TrueCrypt
2009-12-23 03:03 . 2009-12-23 03:03 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\KVS
2009-12-23 02:57 . 2009-12-23 02:58 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Temp
2009-12-23 02:57 . 2009-12-23 02:57 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Deployment
2009-12-22 22:14 . 2009-12-22 22:18 -------- d-----w- c:\program files\Microsoft Works
2009-12-22 22:14 . 2009-12-22 22:14 -------- d-----w- c:\program files\Microsoft.NET
2009-12-22 22:11 . 2009-12-22 22:11 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-12-22 22:11 . 2010-01-10 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-22 22:10 . 2009-12-22 22:10 -------- d-----r- C:\MSOCache
2009-12-22 20:13 . 2009-12-22 20:13 -------- d-----w- c:\program files\Enterprise Vault
2009-12-22 20:11 . 2009-12-28 03:50 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Adobe
2009-12-22 20:08 . 2009-01-23 07:46 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
2009-12-22 20:08 . 2009-12-22 20:08 37021 ----a-w- c:\documents and settings\cmanca\Application Data\Juniper Networks\Setup\uninstall.exe
2009-12-22 20:08 . 2010-01-11 16:20 -------- d-----w- c:\documents and settings\cmanca\Application Data\Juniper Networks
2009-12-22 20:07 . 2009-12-22 20:07 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Yahoo
2009-12-22 20:06 . 2009-12-22 20:07 -------- d-----w- c:\documents and settings\cmanca\Application Data\Yahoo!
2009-12-22 20:06 . 2010-01-07 23:46 67992 ----a-w- c:\documents and settings\cmanca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 20:06 . 2009-12-22 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-22 20:06 . 2009-11-10 22:39 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-12-22 20:06 . 2010-01-11 01:02 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Google
2009-12-22 20:06 . 2010-01-14 02:29 -------- d-----w- c:\program files\Google
2009-12-22 20:04 . 2009-12-23 14:26 -------- d-----w- c:\program files\Yahoo!
2009-12-22 19:42 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-22 19:42 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-22 19:42 . 2008-04-14 08:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-12-22 19:42 . 2008-04-14 08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-22 18:22 . 2008-04-14 07:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-12-22 18:21 . 2008-04-14 07:06 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2009-12-22 17:24 . 2009-12-22 17:24 -------- d-----w- C:\lexmark
2009-12-22 17:23 . 2008-04-14 08:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-12-22 06:48 . 2010-01-14 02:35 447080 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-22 05:12 . 2010-01-04 16:09 -------- d-----w- c:\program files\Juniper Shared Office Files
2009-12-22 05:11 . 2010-01-13 06:20 -------- d-----w- c:\windows\system32\VPCache
2009-12-22 03:47 . 2009-12-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-12-22 03:46 . 2009-12-22 03:46 -------- d-----w- c:\documents and settings\cmanca\Application Data\Funk Software
2009-12-22 03:46 . 2009-12-22 03:46 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Identities
2009-12-22 03:46 . 2009-12-22 03:46 -------- d-----w- c:\documents and settings\cmanca\Application Data\Windows Desktop Search
2009-12-22 03:43 . 2009-12-22 03:43 -------- d-----w- c:\program files\Sonic
2009-12-22 03:42 . 2008-07-03 15:29 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-12-22 03:42 . 2008-07-03 15:09 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-12-22 03:42 . 2008-07-03 14:53 225664 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-12-22 03:42 . 2008-07-03 14:56 200704 ----a-w- c:\windows\system32\SynCtrl.dll
2009-12-22 03:42 . 2008-07-03 14:55 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-12-22 03:42 . 2009-12-22 03:42 -------- d-----w- c:\program files\Synaptics
2009-12-22 03:42 . 2009-05-29 03:30 4608 ------w- c:\windows\system32\drivers\TSMAPIP.SYS
2009-12-22 03:41 . 2009-09-09 01:03 28672 ------w- c:\windows\PWMBTHLP.EXE
2009-12-22 03:41 . 2009-09-09 01:03 4442 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
2009-12-22 03:39 . 2009-12-22 03:43 -------- d-----w- c:\program files\Lenovo
2009-12-22 03:39 . 2009-12-22 03:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Funk Software
2009-12-22 03:39 . 2009-12-22 03:41 -------- d-----w- c:\program files\ThinkPad
2009-12-22 03:37 . 2009-12-22 03:37 222504 ----a-w- c:\windows\system32\odyGina.dll
2009-12-22 03:37 . 2009-12-22 03:37 603432 ----a-w- c:\windows\system32\odGinaLibrary.dll
2009-12-22 03:37 . 2009-12-22 03:37 206120 ----a-w- c:\windows\system32\odyEvent.dll
2009-12-22 03:37 . 2009-12-22 20:08 -------- d-----w- c:\program files\Juniper Networks
2009-12-22 03:37 . 2009-12-22 03:37 -------- d-----w- c:\program files\Common Files\Juniper Networks
2009-12-22 03:37 . 2009-12-22 03:37 -------- d-----w- c:\program files\Common Files\Funk Software
2009-12-22 03:37 . 2009-12-22 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-12-22 03:34 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-22 03:34 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-22 03:34 . 2009-12-22 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\iPass
2009-12-22 03:34 . 2009-12-22 03:34 21393 ----a-w- c:\windows\system32\drivers\iPassP.sys
2009-12-22 03:34 . 2009-12-22 03:34 356352 ----a-w- c:\windows\system32\iPassI5Installer.exe
2009-12-22 03:34 . 2009-12-22 03:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-22 03:34 . 2009-12-22 03:34 -------- d-----w- c:\program files\iPass
2009-12-22 03:26 . 2009-12-22 03:26 -------- d-----w- c:\windows\SchCache
2009-12-22 03:26 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 01:20 . 2009-12-01 15:28 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-24 00:11 . 2009-12-01 14:30 -------- d-----w- c:\program files\Citrix
2009-12-23 20:08 . 2009-12-01 20:06 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-22 18:22 . 2009-12-22 18:22 -------- d-----w- c:\program files\CONEXANT
2009-12-22 18:22 . 2009-12-22 18:22 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-22 03:41 . 2009-12-01 14:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\program files\microsoft frontpage
2009-12-01 20:04 . 2009-12-01 20:04 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-01 15:04 . 2009-12-01 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Screentime
2009-12-01 15:04 . 2009-12-22 03:45 -------- d-----w- c:\documents and settings\cmanca\Application Data\ICAClient
2009-12-01 15:04 . 2009-12-01 15:04 -------- d-----w- c:\documents and settings\Default User\Application Data\ICAClient
2009-12-01 14:57 . 2009-12-01 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-01 14:28 . 2009-12-01 14:27 -------- d-----w- c:\program files\PDFCreator
2009-12-01 14:26 . 2009-12-01 14:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-01 14:22 . 2009-12-01 14:22 -------- d-----w- c:\program files\MSECache
2009-12-01 14:21 . 2009-12-01 14:21 -------- d-----w- c:\program files\Microsoft Office Communicator
2009-12-01 14:16 . 2009-12-01 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-01 14:16 . 2009-12-01 14:15 -------- d-----w- c:\program files\QuickTime
2009-12-01 14:15 . 2009-12-01 14:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 14:14 . 2009-12-01 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-01 14:13 . 2009-12-01 14:11 -------- d-----w- c:\program files\Symantec
2009-12-01 14:13 . 2009-12-01 14:13 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-01 14:13 . 2009-12-01 14:13 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-01 14:13 . 2009-12-01 14:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-01 14:13 . 2009-12-01 14:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-01 14:10 . 2009-12-01 14:10 410976 ----a-w- c:\windows\system32\deploytk.dll
2009-12-01 14:10 . 2009-12-01 14:09 -------- d-----w- c:\program files\Java
2009-12-01 14:09 . 2009-12-01 14:09 -------- d-----w- c:\program files\Common Files\Java
2009-12-01 14:07 . 2009-12-01 14:07 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-01 14:07 . 2009-12-01 14:07 -------- d-----w- c:\program files\Common Files\Real
2009-12-01 14:07 . 2009-12-01 14:07 -------- d-----w- c:\program files\Real
2009-12-01 13:49 . 2009-12-01 13:20 -------- d-----w- c:\program files\Windows Desktop Search
2009-12-01 13:35 . 2009-12-01 13:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-01 13:28 . 2009-12-01 13:28 -------- d-----w- c:\program files\MSBuild
2009-12-01 13:27 . 2009-12-01 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-12-01 13:21 . 2009-12-01 13:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-12-01 13:19 . 2009-12-01 13:19 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-21 15:51 . 2009-12-01 20:54 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-06 20:00 . 2009-11-06 20:00 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 20:00 . 2009-11-06 20:00 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 20:00 . 2009-11-06 20:00 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-11-03 10:42 . 2009-12-01 15:04 20728 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Juniper_Screensaver_Blue\saver2.dll
2009-11-03 10:42 . 2009-12-01 15:04 36840 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Juniper_Screensaver_Blue\saver1.dll
2009-11-02 14:11 . 2009-12-01 20:55 258536 ----a-w- c:\windows\system32\Juniper_Screensaver_Blue.scr
2009-10-29 07:46 . 2009-12-01 20:55 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-12-01 20:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2009-12-01 20:54 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-23 12:08 . 2009-12-01 14:12 75112 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\Redist\ccInst.dll
2009-10-21 05:38 . 2009-12-01 20:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2009-12-01 20:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-06 3900936]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Sweeper.exe"="c:\program files\History Sweeper\sweeper.exe" [2009-01-23 176128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 185896]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-23 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2008-06-04 1193256]
"TpShocks"="TpShocks.exe" [2008-08-02 181536]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-09-09 421888]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-05-29 61728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-06 3900936]

c:\documents and settings\cmanca\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2009-12-22 03:37 206120 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-2000478354-682003330-78013\Scripts\Logon\0\0]
"Script"=\\jnpr.net\NETLOGON\CTG_UserLogonScript.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [12/1/2009 7:28 AM 277032]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [6/3/2008 7:31 PM 254208]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/10/2008 4:39 PM 19496]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [12/1/2009 12:55 PM 17584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [7/8/2009 9:41 AM 13480]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/20/2007 1:31 PM 83320]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [12/21/2009 7:41 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [11/2/2009 5:47 AM 62320]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/22/2009 11:07 AM 239760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/1/2009 6:30 AM 102448]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [10/4/2007 6:04 PM 390528]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [10/4/2007 6:04 PM 29312]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [11/2/2009 5:47 AM 45424]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/23/2009 4:08 AM 23888]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [6/3/2008 7:04 PM 116008]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [12/1/2009 12:52 PM 22448]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2009 12:52 PM 29232]
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-12-22 01:03]
.
.
------- Supplementary Scan -------
.
uStart Page = https://sa.juniper.net/dana/home/index.cgi
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
DPF: {BDCBB757-CE6C-4C87-BE97-982DAE596048} - hxxp://crm.juniper.net/htim_enu/20412/applets/SiebelAx_HI_Client.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\cmanca\Application Data\Mozilla\Firefox\Profiles\mgcho012.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus
AddRemove-mIRC - e:\prog\mIRC\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 18:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1600)
c:\windows\system32\odyGina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\odyEvent.dll
c:\windows\system32\msi.dll

- - - - - - - > 'explorer.exe'(4652)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\windows\system32\msiexec.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-01-13 18:40:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-14 02:40

Pre-Run: 117,658,722,304 bytes free
Post-Run: 117,653,090,304 bytes free

- - End Of File - - CF737E8D3570BA44E46058176FF356C7



ComboFix 10-01-13.07 - cmanca 01/13/2010 18:31:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1978.1437 [GMT -8:00]
Running from: c:\documents and settings\cmanca\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\windows\EventSystem.log

----- BITS: Possible infected sites -----

hxxp://SMSPRICORP.jnpr.net:80
hxxp://SMSPRICORP:80
Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))
.

2010-01-11 07:30 . 2010-01-11 07:30 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 07:29 . 2010-01-11 07:29 -------- d-----w- c:\documents and settings\cmanca\Application Data\Malwarebytes
2010-01-11 07:29 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-11 07:29 . 2010-01-11 07:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 07:29 . 2010-01-11 07:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-11 07:29 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-11 00:58 . 2010-01-11 00:58 388096 ----a-r- c:\documents and settings\cmanca\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-11 00:58 . 2010-01-11 00:58 -------- d-----w- c:\program files\TrendMicro
2010-01-10 18:28 . 2010-01-10 18:28 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Mozilla
2010-01-09 21:20 . 2010-01-09 21:20 -------- d-----w- c:\program files\History Sweeper
2010-01-09 05:18 . 2010-01-09 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-01-09 05:18 . 2010-01-09 05:18 -------- d-----w- c:\program files\IObit
2010-01-09 03:32 . 2010-01-09 04:09 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-09 03:29 . 2010-01-09 04:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-01-09 03:29 . 2009-12-07 14:10 2953352 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareInstallation.exe
2010-01-09 03:29 . 2010-01-09 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-08 05:20 . 2010-01-08 05:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-07 22:13 . 2008-11-10 19:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-07 22:13 . 2006-10-27 03:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-01-07 05:51 . 2010-01-07 05:51 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-07 05:51 . 2010-01-07 05:51 -------- d-----w- c:\documents and settings\cmanca\log
2010-01-07 05:47 . 2010-01-07 05:47 -------- d-----w- c:\program files\Trend Micro
2010-01-07 03:33 . 2010-01-07 03:33 -------- d-----w- c:\program files\MSXML 4.0
2010-01-07 02:48 . 2010-01-07 02:48 -------- d--h--w- c:\windows\PIF
2010-01-07 02:36 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\program files\MSSOAP
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\program files\Webroot
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\documents and settings\cmanca\Application Data\Webroot
2010-01-07 02:26 . 2010-01-07 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-01-07 02:26 . 2009-11-06 23:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-01-07 02:25 . 2010-01-07 02:25 164 ----a-w- c:\windows\install.dat
2010-01-07 01:34 . 2010-01-07 01:34 118256 ----a-w- c:\windows\system32\fMr7EWc-dg8.exe
2010-01-04 16:05 . 2008-04-14 08:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-01-04 16:05 . 2008-04-14 08:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-01-02 00:38 . 2010-01-02 00:38 -------- d-----w- c:\documents and settings\cmanca\Application Data\Windows Search
2009-12-28 23:08 . 2010-01-14 00:50 -------- d-----w- c:\documents and settings\cmanca\Application Data\vlc
2009-12-28 23:07 . 2009-12-28 23:07 -------- d-----w- c:\program files\VideoLAN
2009-12-28 05:16 . 2010-01-14 02:37 -------- d-----w- c:\documents and settings\cmanca\Tracing
2009-12-28 05:15 . 2009-12-28 05:15 -------- d-----w- c:\program files\Microsoft
2009-12-28 05:15 . 2009-12-28 05:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-28 05:15 . 2009-12-28 05:15 -------- d-----w- c:\program files\Windows Live
2009-12-28 05:12 . 2009-12-28 05:12 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-28 05:11 . 2009-12-28 05:11 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Microsoft Help
2009-12-26 17:31 . 2010-01-14 02:20 -------- d-----w- c:\documents and settings\cmanca\Application Data\mIRC
2009-12-24 00:11 . 2009-12-24 00:11 60744 ----a-w- c:\documents and settings\cmanca\g2mdlhlpx.exe
2009-12-24 00:10 . 2009-12-24 00:10 -------- d-----w- c:\windows\Sun
2009-12-23 14:32 . 2010-01-03 19:17 -------- d-----w- c:\documents and settings\cmanca\Application Data\TrueCrypt
2009-12-23 03:15 . 2009-12-23 03:15 -------- d-sh--w- c:\documents and settings\cmanca\UserData
2009-12-23 03:12 . 2009-12-23 03:12 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-12-23 03:12 . 2009-12-23 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TrueCrypt
2009-12-23 03:12 . 2009-12-23 14:33 -------- d-----w- c:\program files\TrueCrypt
2009-12-23 03:03 . 2009-12-23 03:03 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\KVS
2009-12-23 02:57 . 2009-12-23 02:58 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Temp
2009-12-23 02:57 . 2009-12-23 02:57 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Deployment
2009-12-22 22:14 . 2009-12-22 22:18 -------- d-----w- c:\program files\Microsoft Works
2009-12-22 22:14 . 2009-12-22 22:14 -------- d-----w- c:\program files\Microsoft.NET
2009-12-22 22:11 . 2009-12-22 22:11 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-12-22 22:11 . 2010-01-10 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-22 22:10 . 2009-12-22 22:10 -------- d-----r- C:\MSOCache
2009-12-22 20:13 . 2009-12-22 20:13 -------- d-----w- c:\program files\Enterprise Vault
2009-12-22 20:11 . 2009-12-28 03:50 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Adobe
2009-12-22 20:08 . 2009-01-23 07:46 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
2009-12-22 20:08 . 2009-12-22 20:08 37021 ----a-w- c:\documents and settings\cmanca\Application Data\Juniper Networks\Setup\uninstall.exe
2009-12-22 20:08 . 2010-01-11 16:20 -------- d-----w- c:\documents and settings\cmanca\Application Data\Juniper Networks
2009-12-22 20:07 . 2009-12-22 20:07 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Yahoo
2009-12-22 20:06 . 2009-12-22 20:07 -------- d-----w- c:\documents and settings\cmanca\Application Data\Yahoo!
2009-12-22 20:06 . 2010-01-07 23:46 67992 ----a-w- c:\documents and settings\cmanca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 20:06 . 2009-12-22 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-22 20:06 . 2009-11-10 22:39 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-12-22 20:06 . 2010-01-11 01:02 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Google
2009-12-22 20:06 . 2010-01-14 02:29 -------- d-----w- c:\program files\Google
2009-12-22 20:04 . 2009-12-23 14:26 -------- d-----w- c:\program files\Yahoo!
2009-12-22 19:42 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-22 19:42 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-22 19:42 . 2008-04-14 08:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-12-22 19:42 . 2008-04-14 08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-22 18:22 . 2008-04-14 07:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-12-22 18:21 . 2008-04-14 07:06 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2009-12-22 17:24 . 2009-12-22 17:24 -------- d-----w- C:\lexmark
2009-12-22 17:23 . 2008-04-14 08:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-12-22 06:48 . 2010-01-14 02:35 447080 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-22 05:12 . 2010-01-04 16:09 -------- d-----w- c:\program files\Juniper Shared Office Files
2009-12-22 05:11 . 2010-01-13 06:20 -------- d-----w- c:\windows\system32\VPCache
2009-12-22 03:47 . 2009-12-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-12-22 03:46 . 2009-12-22 03:46 -------- d-----w- c:\documents and settings\cmanca\Application Data\Funk Software
2009-12-22 03:46 . 2009-12-22 03:46 -------- d-----w- c:\documents and settings\cmanca\Local Settings\Application Data\Identities
2009-12-22 03:46 . 2009-12-22 03:46 -------- d-----w- c:\documents and settings\cmanca\Application Data\Windows Desktop Search
2009-12-22 03:43 . 2009-12-22 03:43 -------- d-----w- c:\program files\Sonic
2009-12-22 03:42 . 2008-07-03 15:29 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-12-22 03:42 . 2008-07-03 15:09 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-12-22 03:42 . 2008-07-03 14:53 225664 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-12-22 03:42 . 2008-07-03 14:56 200704 ----a-w- c:\windows\system32\SynCtrl.dll
2009-12-22 03:42 . 2008-07-03 14:55 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-12-22 03:42 . 2009-12-22 03:42 -------- d-----w- c:\program files\Synaptics
2009-12-22 03:42 . 2009-05-29 03:30 4608 ------w- c:\windows\system32\drivers\TSMAPIP.SYS
2009-12-22 03:41 . 2009-09-09 01:03 28672 ------w- c:\windows\PWMBTHLP.EXE
2009-12-22 03:41 . 2009-09-09 01:03 4442 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
2009-12-22 03:39 . 2009-12-22 03:43 -------- d-----w- c:\program files\Lenovo
2009-12-22 03:39 . 2009-12-22 03:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Funk Software
2009-12-22 03:39 . 2009-12-22 03:41 -------- d-----w- c:\program files\ThinkPad
2009-12-22 03:37 . 2009-12-22 03:37 222504 ----a-w- c:\windows\system32\odyGina.dll
2009-12-22 03:37 . 2009-12-22 03:37 603432 ----a-w- c:\windows\system32\odGinaLibrary.dll
2009-12-22 03:37 . 2009-12-22 03:37 206120 ----a-w- c:\windows\system32\odyEvent.dll
2009-12-22 03:37 . 2009-12-22 20:08 -------- d-----w- c:\program files\Juniper Networks
2009-12-22 03:37 . 2009-12-22 03:37 -------- d-----w- c:\program files\Common Files\Juniper Networks
2009-12-22 03:37 . 2009-12-22 03:37 -------- d-----w- c:\program files\Common Files\Funk Software
2009-12-22 03:37 . 2009-12-22 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2009-12-22 03:34 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-22 03:34 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-22 03:34 . 2009-12-22 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\iPass
2009-12-22 03:34 . 2009-12-22 03:34 21393 ----a-w- c:\windows\system32\drivers\iPassP.sys
2009-12-22 03:34 . 2009-12-22 03:34 356352 ----a-w- c:\windows\system32\iPassI5Installer.exe
2009-12-22 03:34 . 2009-12-22 03:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-22 03:34 . 2009-12-22 03:34 -------- d-----w- c:\program files\iPass
2009-12-22 03:26 . 2009-12-22 03:26 -------- d-----w- c:\windows\SchCache
2009-12-22 03:26 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 01:20 . 2009-12-01 15:28 330264 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-24 00:11 . 2009-12-01 14:30 -------- d-----w- c:\program files\Citrix
2009-12-23 20:08 . 2009-12-01 20:06 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-22 18:22 . 2009-12-22 18:22 -------- d-----w- c:\program files\CONEXANT
2009-12-22 18:22 . 2009-12-22 18:22 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-22 03:41 . 2009-12-01 14:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-01 20:07 . 2009-12-01 20:07 -------- d-----w- c:\program files\microsoft frontpage
2009-12-01 20:04 . 2009-12-01 20:04 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-01 15:04 . 2009-12-01 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Screentime
2009-12-01 15:04 . 2009-12-22 03:45 -------- d-----w- c:\documents and settings\cmanca\Application Data\ICAClient
2009-12-01 15:04 . 2009-12-01 15:04 -------- d-----w- c:\documents and settings\Default User\Application Data\ICAClient
2009-12-01 14:57 . 2009-12-01 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-01 14:28 . 2009-12-01 14:27 -------- d-----w- c:\program files\PDFCreator
2009-12-01 14:26 . 2009-12-01 14:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-01 14:22 . 2009-12-01 14:22 -------- d-----w- c:\program files\MSECache
2009-12-01 14:21 . 2009-12-01 14:21 -------- d-----w- c:\program files\Microsoft Office Communicator
2009-12-01 14:16 . 2009-12-01 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-01 14:16 . 2009-12-01 14:15 -------- d-----w- c:\program files\QuickTime
2009-12-01 14:15 . 2009-12-01 14:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 14:14 . 2009-12-01 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-01 14:13 . 2009-12-01 14:11 -------- d-----w- c:\program files\Symantec
2009-12-01 14:13 . 2009-12-01 14:13 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-01 14:13 . 2009-12-01 14:13 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-01 14:13 . 2009-12-01 14:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-01 14:13 . 2009-12-01 14:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-01 14:10 . 2009-12-01 14:10 410976 ----a-w- c:\windows\system32\deploytk.dll
2009-12-01 14:10 . 2009-12-01 14:09 -------- d-----w- c:\program files\Java
2009-12-01 14:09 . 2009-12-01 14:09 -------- d-----w- c:\program files\Common Files\Java
2009-12-01 14:07 . 2009-12-01 14:07 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-01 14:07 . 2009-12-01 14:07 -------- d-----w- c:\program files\Common Files\Real
2009-12-01 14:07 . 2009-12-01 14:07 -------- d-----w- c:\program files\Real
2009-12-01 13:49 . 2009-12-01 13:20 -------- d-----w- c:\program files\Windows Desktop Search
2009-12-01 13:35 . 2009-12-01 13:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-01 13:28 . 2009-12-01 13:28 -------- d-----w- c:\program files\MSBuild
2009-12-01 13:27 . 2009-12-01 13:27 -------- d-----w- c:\program files\Reference Assemblies
2009-12-01 13:21 . 2009-12-01 13:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-12-01 13:19 . 2009-12-01 13:19 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-21 15:51 . 2009-12-01 20:54 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-06 20:00 . 2009-11-06 20:00 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 20:00 . 2009-11-06 20:00 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 20:00 . 2009-11-06 20:00 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-11-03 10:42 . 2009-12-01 15:04 20728 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Juniper_Screensaver_Blue\saver2.dll
2009-11-03 10:42 . 2009-12-01 15:04 36840 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Juniper_Screensaver_Blue\saver1.dll
2009-11-02 14:11 . 2009-12-01 20:55 258536 ----a-w- c:\windows\system32\Juniper_Screensaver_Blue.scr
2009-10-29 07:46 . 2009-12-01 20:55 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2009-12-01 20:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2009-12-01 20:54 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-23 12:08 . 2009-12-01 14:12 75112 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\Redist\ccInst.dll
2009-10-21 05:38 . 2009-12-01 20:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2009-12-01 20:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-06 3900936]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Sweeper.exe"="c:\program files\History Sweeper\sweeper.exe" [2009-01-23 176128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 185896]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-23 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2008-06-04 1193256]
"TpShocks"="TpShocks.exe" [2008-08-02 181536]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-09-09 421888]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-05-29 61728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-06 3900936]

c:\documents and settings\cmanca\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2009-12-22 03:37 206120 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-2000478354-682003330-78013\Scripts\Logon\0\0]
"Script"=\\jnpr.net\NETLOGON\CTG_UserLogonScript.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [12/1/2009 7:28 AM 277032]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [6/3/2008 7:31 PM 254208]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/10/2008 4:39 PM 19496]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [12/1/2009 12:55 PM 17584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [7/8/2009 9:41 AM 13480]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/20/2007 1:31 PM 83320]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [12/21/2009 7:41 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [11/2/2009 5:47 AM 62320]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/22/2009 11:07 AM 239760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/1/2009 6:30 AM 102448]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [10/4/2007 6:04 PM 390528]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [10/4/2007 6:04 PM 29312]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [11/2/2009 5:47 AM 45424]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/23/2009 4:08 AM 23888]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [6/3/2008 7:04 PM 116008]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [12/1/2009 12:52 PM 22448]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2009 12:52 PM 29232]
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-12-22 01:03]
.
.
------- Supplementary Scan -------
.
uStart Page = https://sa.juniper.net/dana/home/index.cgi
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
DPF: {BDCBB757-CE6C-4C87-BE97-982DAE596048} - hxxp://crm.juniper.net/htim_enu/20412/applets/SiebelAx_HI_Client.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\cmanca\Application Data\Mozilla\Firefox\Profiles\mgcho012.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus
AddRemove-mIRC - e:\prog\mIRC\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 18:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1600)
c:\windows\system32\odyGina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\odyEvent.dll
c:\windows\system32\msi.dll

- - - - - - - > 'explorer.exe'(4652)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\windows\system32\msiexec.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-01-13 18:40:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-14 02:40

Pre-Run: 117,658,722,304 bytes free
Post-Run: 117,653,090,304 bytes free

- - End Of File - - CF737E8D3570BA44E46058176FF356C7


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:57 AM

Posted 13 January 2010 - 10:00 PM

Did that eliminate the redirections you were getting?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 13 January 2010 - 10:05 PM

So far it seems like it has. I tried about 15 Google searches and clicks...seems all clear. UNBELIEVEABLE!!!!!!!!!!
I have a current antivirus and I always keep patches current. I never open shady emails....or click on boxes or popups (yes or no, use the x on the corner to shut it down)...how do I avoid reinfection, I am not sure how I got infected in the first place. Also, what was the nasty bug anyway.?
P.S. You rock..!!!

#8 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 13 January 2010 - 10:07 PM

P.P.S..you really rock...! and so does whomever wrote ComboFix!!!

#9 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 13 January 2010 - 10:37 PM

One more thing. I havent done anything, but ran Malwarebytes and it came up found Malware.trace Again, I havent done anything, just wanted to see what it would find.
I did notice when the rootkit was still active that it would keep reinstalling bad stuff. I did try again to see if redirection was happening, and it seems clear....
advice..???

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:57 AM

Posted 13 January 2010 - 10:47 PM

Thanks, Combofix is a heck of a tool and it's developer sUBs does an awesome job with it. Unluckily we have lot of people who see us run it and they have similar issues so they run it without help then they get into trouble and don't know what to do. There is a heck of a lot to know about it and we have reams of information to study in order to start using it. We try to warn them not to use it without supervision but lots do anyway, some get away with it and it works while others come on here and other sites wanting to know what to do.

The infection you had is a rootkit called TDL3 which is a third generation of the TDSS rootkit. These things are very nasty and can be hard as heck to get rid of sometimes. They block a lot of what we do so often we spend quite a bit of time trying to figure out a workaround to get by them. New strains are coming out daily and it's a lot of work trying to keep up with all of it.


Let's run one more scan and see if any vestiges of the infection is leftover.




It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 14 January 2010 - 01:08 AM


Well, I wish I could say I was infection free, but not the case. I am tempted to manually eliminate or rerun MalwareBYtes, but I am not taking any action....smile.gif

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, January 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 14, 2010 03:58:07
Records in database: 3311925
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 43529
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:46:17


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0D480000\4F4D3AE1.VBN Infected: Trojan.Win32.FakeMS.bbe 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0D480001\4F4D3B0C.VBN Infected: Packed.Win32.Krap.x 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0D480002\4F4D3B24.VBN Infected: Trojan-Downloader.Win32.FraudLoad.ghq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.


#12 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 14 January 2010 - 01:10 AM

...or maybe these are all in Quarantine boxes and its infact ok..?????

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:57 AM

Posted 14 January 2010 - 09:54 AM

Yes, those are all in quarantine and don't present a problem.

Let's update your Java and then let me know if things are OK


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 SunnSurf

SunnSurf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 14 January 2010 - 10:29 AM

Alright. I did it. It seeemed to update fine and I deleted an older version of Java, as well. Is that it..? Any tips on avoiding runnning into trouble based on my earlier comments. It seems like I must have been infected by browsing to the wrong site, but I am not sure..??

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:57 AM

Posted 14 January 2010 - 08:24 PM

We'll remove the tools we used and I have some things you can do below which will help you stay clean. Just remember that the best protection you can have is to be very careful where you go and what you click on. This includes things from places like FaceBook and MySpace or something as innocent looking as a link from a supposed friend since it might not be your friend but someone who has hijacked their email list.


Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.



You can now delete any of the other tools we have used also.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  2. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  3. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  4. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users