Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect / tru01dms3.com


  • This topic is locked This topic is locked
32 replies to this topic

#1 keepncool

keepncool

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 26 June 2010 - 09:10 PM

When I use a search engine, the search engine works, and the links are correct.... But when I click a link it redirects me to a random site. When the redirection occurs it always starts with tru01dms3.com ... Occassionally a random webpage will open out of the blue. I haven't noticed any other problems. I have already ran Malware bytes & Symantec Endpoint. Both scans come out clean.

Thanks so much for your help.
Michael York


Response to the preperation guide as outlined by Grinler:

1) backup your data - done
2-4) done
5) Enable Firewall - done
6) disable your CD emulation software - done
7) Download and Run dds - done (see results below)
8) GMER lot - Cannot run. starts to scan then the system shuts down and reboots


Windows XP PRO SP3
Intel Core 2 duo
2.5 GHz 3 GIG ram
IE 6 (required for business applications)
FireFox






DDS (Ver_10-03-17.01) - NTFSx86
Run by cyorkmi at 16:41:45.40 on Sat 06/26/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3036.1523 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\LonWorks\bin\LnsMtsSvc.exe
C:\Inetpub\Wwwroot\MetasysIII\Tool\bin\ActionQueue.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\SoftGate\SoftGateNotify.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\spyware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.johnsoncontrols.com/
uInternet Connection Wizard,ShellNext = hxxp://localhost/SCT
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [{B53ACCA6-3F22-B04D-FFE9-9998B7DB6F98}] "c:\documents and settings\cyorkmi\application data\qaek\exla.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AccessManager] c:\program files\accessmanager\client\AccessMgr.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Softgate] c:\program files\softgate\SoftGateNotify.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
StartupFolder: c:\docume~1\cyorkmi\startm~1\programs\startup\monito~1.lnk - c:\program files\eroom 7\ERClient7.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aimver~1.lnk - c:\program files\johnson controls\aim\aimver\reminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.johnsoncontrols.com/eRoomSetup/client.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://jwimkns12.na.jci.com/dwa8W.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: AMINIT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cyorkmi\applic~1\mozilla\firefox\profiles\6szzaxkv.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: c:\program files\java\jre1.5.0_13\bin\NPJPI150_13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npeRoom7.dll
FF - HiddenExtension: XULRunner: {1D048104-F73F-4FF5-98E6-B5A8F21F125A} - c:\documents and settings\cyorkmi\local settings\application data\{1D048104-F73F-4FF5-98E6-B5A8F21F125A}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-5-4 40560]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-9-22 24064]
R2 AMBroker;Access Manager Configuration Service;c:\program files\accessmanager\client\AMBroker.exe [2004-3-4 81920]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-27 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-27 108392]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [2007-9-21 62776]
R2 MIIIAQ;Metasys III Action Queue;c:\inetpub\wwwroot\metasysiii\tool\bin\ActionQueue.exe [2009-12-9 192512]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-7-27 2440632]
R2 TSM Scheduler;TSM Scheduler;c:\program files\tivoli\tsm\baclient\dsmcsvc.exe [2007-2-21 3117056]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-9-22 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-4-19 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-11-11 240344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-4 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-11-11 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100624.002\NAVENG.SYS [2010-6-24 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100624.002\NAVEX15.SYS [2010-6-24 1347504]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-10-2 47616]
S1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]
S2 ChkLpt;ChkLpt;c:\windows\system32\drivers\Chklpt.sys [2004-6-19 6364]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-27 23888]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\accessmanager\client\DAPlugin.exe [2004-3-4 81920]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys --> c:\windows\system32\drivers\e1k5132.sys [?]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2006-5-17 29404]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [2007-9-21 66872]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\accessmanager\smoc\spi_da.exe [2003-4-17 81920]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-19 189792]

=============== Created Last 30 ================

2010-06-26 21:41:44 0 d-----w- c:\temp\186.tmp
2010-06-26 21:41:18 0 ----a-w- c:\documents and settings\cyorkmi\defogger_reenable
2010-06-26 21:38:53 0 d-----w- C:\spyware
2010-06-26 16:47:36 0 d-----w- c:\temp\hsperfdata_cyorkmi
2010-06-25 03:11:20 0 d-----w- c:\temp\WPDNSE
2010-06-25 03:10:30 16384 ----atw- c:\temp\Perflib_Perfdata_334.dat
2010-06-25 03:10:09 16384 ----atw- c:\temp\Perflib_Perfdata_d5c.dat
2010-06-25 03:09:54 16384 ----atw- c:\temp\Perflib_Perfdata_38c.dat
2010-06-24 22:57:28 16384 ----atw- c:\temp\Perflib_Perfdata_27c.dat
2010-06-24 22:54:00 4054 ----a-w- c:\windows\wininit.ini
2010-06-24 22:28:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-24 22:28:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-24 22:03:50 16384 ----atw- c:\temp\Perflib_Perfdata_394.dat
2010-06-24 05:46:51 0 d-----w- c:\temp\hsperfdata_SYSTEM
2010-06-24 00:49:09 16384 ----atw- c:\temp\Perflib_Perfdata_300.dat
2010-06-23 04:24:28 256752 ----a-w- c:\temp\SSUPDATE.EXE
2010-06-23 03:54:40 16384 ----atw- c:\temp\Perflib_Perfdata_304.dat
2010-06-23 03:54:19 16384 ----atw- c:\temp\Perflib_Perfdata_f18.dat
2010-06-23 03:36:58 0 d-----w- c:\docume~1\cyorkmi\applic~1\SUPERAntiSpyware.com
2010-06-23 03:36:40 0 d-----w- c:\temp\SUPERSetup
2010-06-22 20:25:48 0 d-----w- c:\temp\BTN%Copy%1
2010-06-22 20:17:18 16384 ----atw- c:\temp\Perflib_Perfdata_214.dat
2010-06-21 19:28:27 16384 ------w- c:\temp\Perflib_Perfdata_47c.dat
2010-06-20 16:59:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-20 14:39:36 120 ----a-w- c:\windows\Kzabuyanamisu.dat
2010-06-20 14:39:36 0 ----a-w- c:\windows\Erepahemofi.bin
2010-06-20 05:18:10 0 d-----w- c:\program files\WBFS
2010-06-18 17:13:12 6656 ----a-w- c:\windows\system32\haspvdd.dll
2010-06-18 17:13:12 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2010-06-18 17:13:12 383 ----a-w- c:\windows\system32\haspdos.sys
2010-06-18 17:13:12 264704 ----a-w- c:\windows\system32\hlvdd.dll
2010-06-18 17:13:12 2577 ----a-w- c:\windows\system32\config.hsp
2010-06-18 17:13:10 0 d-----w- C:\AZ Commercial
2010-06-18 17:13:07 82432 ------w- c:\windows\system32\msxml4r.dll
2010-06-18 17:13:07 44544 ------w- c:\windows\system32\msxml4a.dll
2010-06-18 17:13:07 1233920 ------w- c:\windows\system32\msxml4.dll
2010-06-18 17:12:58 0 d-----w- C:\ALLDATAW
2010-06-18 17:06:07 0 ----a-w- c:\windows\hlktmp
2010-06-18 17:06:06 693760 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-06-18 17:05:48 24576 ----a-w- c:\windows\system32\hdsuinst.exe
2010-06-18 17:05:47 153088 ----a-w- c:\windows\system32\UNWISE.EXE
2010-06-18 17:05:46 2511360 ----a-w- c:\windows\system32\haspds_windows.dll
2010-06-18 16:02:26 0 d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-17 19:53:26 0 d-----w- c:\windows\JCITemplate
2010-06-10 19:47:51 0 d-----w- c:\docume~1\cyorkmi\applic~1\Anibdi
2010-06-08 00:04:11 0 d-----w- C:\books
2010-06-01 21:27:49 0 d-----w- C:\SWSetup
2010-05-28 21:56:12 0 d-----w- c:\docume~1\cyorkmi\applic~1\Johnson Controls
2010-05-28 00:44:58 16384 ------w- c:\temp\Perflib_Perfdata_264.dat

==================== Find3M ====================

2010-05-13 18:47:39 4987 ----a-w- C:\bradyprinterlog.dat
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 23:38:56 182608 ----a-w- c:\windows\system32\cnvshell.dll
2010-04-22 18:07:00 228352 ----a-w- c:\documents and settings\cyorkmi\DataRefreshUI_5.0.0.8300.dll
2010-04-22 14:07:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-19 15:38:43 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-19 15:31:15 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-19 15:31:15 104960 ------w- c:\windows\system32\pxinsi64.exe
2010-04-19 15:13:10 1638400 ----a-w- c:\windows\system32\Gdiplus.dll
2005-11-15 20:32:22 3638 ----a-r- c:\program files\common files\Altiris_Icon.ico

============= FINISH: 16:42:24.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:52 PM

Posted 01 July 2010 - 06:42 PM

Hi keepncool,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

Also run GMER, uncheck all boxes but let the box next to Sections and C drive remain checked. Click Scan.
When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

#3 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 01 July 2010 - 08:44 PM

The condition of my computer has not changed. (no better or worse)
I attempted to run GMER as requested. But with everything unchecked
except for selections and c drive, it still causes my computer to crash with a blue
screen and restart.
Please let me know where we need to continue from here.

Thanks so much for taking your time to assist me with this problem.
Mike York

Edited by keepncool, 01 July 2010 - 09:00 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:52 PM

Posted 01 July 2010 - 09:02 PM

No problem. We will do it without GMER as I'm guessing the type of infection.

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#5 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 01 July 2010 - 09:44 PM

I ran tdskiller and it did require a restart.
the log is attached.
thanks,
mike york

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:52 PM

Posted 01 July 2010 - 09:53 PM

The rootkit is taken care of. thumbup2.gif

There is another malware redirecting only Firefox.
  1. Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it.
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, this is normal.

  3. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 12
    J2SE Runtime Environment 5.0 Update 13
    Java™ 6 Update 16
    Java™ 6 Update 4
    Java™ 6 Update 5
    Java™ 6 Update 7


  4. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  5. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  6. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

  7. Tell me also how is your computer running.


#7 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 02 July 2010 - 08:57 PM

The computer is much better( no more redirects). I ran the scans you requested, and the posts will follow.
I can not update JAVA. I have to have all these versons of JAVA for my business applications(they are java release specific)
I also was able to run GMER and attached it.

thanks,
mike

GooredFix by jpshortstuff (08.01.10.1)
Log created at 22:45 on 01/07/2010 (cyorkmi)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========

(none)
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{1D048104-F73F-4FF5-98E6-B5A8F21F125A} -> Success!
Deleting C:\Documents and Settings\cyorkmi\Local Settings\Application Data\{1D048104-F73F-4FF5-98E6-B5A8F21F125A} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:37 14/05/2010]

C:\Documents and Settings\cyorkmi\Application Data\Mozilla\Firefox\Profiles\6szzaxkv.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:40 22/04/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:07 22/04/2010]

-=E.O.F=-





-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4266

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/2/2010 6:13:40 AM
mbam-log-2010-07-02 (06-13-40).txt

Scan type: Quick scan
Objects scanned: 159801
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by cyorkmi at 20:15:59.34 on Fri 07/02/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3036.1441 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\LonWorks\bin\LnsMtsSvc.exe
C:\Inetpub\Wwwroot\MetasysIII\Tool\bin\ActionQueue.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\SoftGate\SoftGateNotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\eRoom 7\ERClient7.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\spyware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.johnsoncontrols.com/
uInternet Connection Wizard,ShellNext = hxxp://localhost/SCT
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [{B53ACCA6-3F22-B04D-FFE9-9998B7DB6F98}] "c:\documents and settings\cyorkmi\application data\qaek\exla.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AccessManager] c:\program files\accessmanager\client\AccessMgr.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Softgate] c:\program files\softgate\SoftGateNotify.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\cyorkmi\startm~1\programs\startup\monito~1.lnk - c:\program files\eroom 7\ERClient7.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aimver~1.lnk - c:\program files\johnson controls\aim\aimver\reminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.johnsoncontrols.com/eRoomSetup/client.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://jwimkns12.na.jci.com/dwa8W.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: AMINIT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cyorkmi\applic~1\mozilla\firefox\profiles\6szzaxkv.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: c:\program files\java\jre1.5.0_13\bin\NPJPI150_13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npeRoom7.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-5-4 40560]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-9-22 24064]
R2 AMBroker;Access Manager Configuration Service;c:\program files\accessmanager\client\AMBroker.exe [2004-3-4 81920]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-27 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-27 108392]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [2007-9-21 62776]
R2 MIIIAQ;Metasys III Action Queue;c:\inetpub\wwwroot\metasysiii\tool\bin\ActionQueue.exe [2009-12-9 192512]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-7-27 2440632]
R2 TSM Scheduler;TSM Scheduler;c:\program files\tivoli\tsm\baclient\dsmcsvc.exe [2007-2-21 3117056]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-9-22 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-4-19 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-11-11 240344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-4 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-11-11 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100624.002\NAVENG.SYS [2010-6-24 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100624.002\NAVEX15.SYS [2010-6-24 1347504]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-10-2 47616]
S1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]
S2 ChkLpt;ChkLpt;c:\windows\system32\drivers\Chklpt.sys [2004-6-19 6364]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-27 23888]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\accessmanager\client\DAPlugin.exe [2004-3-4 81920]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys --> c:\windows\system32\drivers\e1k5132.sys [?]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2006-5-17 29404]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [2007-9-21 66872]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\accessmanager\smoc\spi_da.exe [2003-4-17 81920]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-19 189792]

=============== Created Last 30 ================

2010-07-03 01:15:58 0 d-----w- c:\temp\1B9.tmp
2010-07-02 10:43:58 54016 ----a-w- c:\windows\system32\drivers\fowqnt.sys
2010-07-02 03:54:43 0 d-----w- c:\program files\CCleaner
2010-07-02 02:37:37 16384 ----atw- c:\temp\Perflib_Perfdata_a14.dat
2010-07-02 02:37:25 16384 ----atw- c:\temp\Perflib_Perfdata_7cc.dat
2010-07-02 02:32:37 16384 ----atw- c:\temp\Perflib_Perfdata_2a8.dat
2010-07-02 01:32:58 16384 ----atw- c:\temp\Perflib_Perfdata_2b4.dat
2010-07-02 01:32:37 16384 ----atw- c:\temp\Perflib_Perfdata_f14.dat
2010-07-02 01:32:22 16384 ----atw- c:\temp\Perflib_Perfdata_194.dat
2010-07-02 01:21:01 16384 ----atw- c:\temp\Perflib_Perfdata_2f4.dat
2010-07-02 01:20:41 16384 ----atw- c:\temp\Perflib_Perfdata_d88.dat
2010-07-02 01:20:26 16384 ----atw- c:\temp\Perflib_Perfdata_1a4.dat
2010-06-28 18:12:34 0 d-----w- c:\temp\VBE
2010-06-28 18:12:33 0 d-----w- c:\temp\Excel8.0
2010-06-26 21:41:18 0 ----a-w- c:\documents and settings\cyorkmi\defogger_reenable
2010-06-26 21:38:53 0 d-----w- C:\spyware
2010-06-24 22:54:00 4054 ----a-w- c:\windows\wininit.ini
2010-06-24 22:28:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-24 22:28:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-23 03:36:58 0 d-----w- c:\docume~1\cyorkmi\applic~1\SUPERAntiSpyware.com
2010-06-20 16:59:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-20 14:39:36 120 ----a-w- c:\windows\Kzabuyanamisu.dat
2010-06-20 14:39:36 0 ----a-w- c:\windows\Erepahemofi.bin
2010-06-20 05:18:10 0 d-----w- c:\program files\WBFS
2010-06-18 17:13:12 6656 ----a-w- c:\windows\system32\haspvdd.dll
2010-06-18 17:13:12 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2010-06-18 17:13:12 383 ----a-w- c:\windows\system32\haspdos.sys
2010-06-18 17:13:12 264704 ----a-w- c:\windows\system32\hlvdd.dll
2010-06-18 17:13:12 2577 ----a-w- c:\windows\system32\config.hsp
2010-06-18 17:13:10 0 d-----w- C:\AZ Commercial
2010-06-18 17:13:07 82432 ------w- c:\windows\system32\msxml4r.dll
2010-06-18 17:13:07 44544 ------w- c:\windows\system32\msxml4a.dll
2010-06-18 17:13:07 1233920 ------w- c:\windows\system32\msxml4.dll
2010-06-18 17:12:58 0 d-----w- C:\ALLDATAW
2010-06-18 17:06:07 0 ----a-w- c:\windows\hlktmp
2010-06-18 17:06:06 693760 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-06-18 17:05:48 24576 ----a-w- c:\windows\system32\hdsuinst.exe
2010-06-18 17:05:47 153088 ----a-w- c:\windows\system32\UNWISE.EXE
2010-06-18 17:05:46 2511360 ----a-w- c:\windows\system32\haspds_windows.dll
2010-06-18 16:02:26 0 d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-17 19:53:26 0 d-----w- c:\windows\JCITemplate
2010-06-10 19:47:51 0 d-----w- c:\docume~1\cyorkmi\applic~1\Anibdi
2010-06-08 00:04:11 0 d-----w- C:\books

==================== Find3M ====================

2010-07-02 02:36:17 360320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-13 18:47:39 4987 ----a-w- C:\bradyprinterlog.dat
2010-04-23 23:38:56 182608 ----a-w- c:\windows\system32\cnvshell.dll
2010-04-22 18:07:00 228352 ----a-w- c:\documents and settings\cyorkmi\DataRefreshUI_5.0.0.8300.dll
2010-04-22 14:07:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-19 15:38:43 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-19 15:31:15 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-19 15:31:15 104960 ------w- c:\windows\system32\pxinsi64.exe
2010-04-19 15:13:10 1638400 ----a-w- c:\windows\system32\Gdiplus.dll
2005-11-15 20:32:22 3638 ----a-r- c:\program files\common files\Altiris_Icon.ico

============= FINISH: 20:16:21.87 ===============




Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:52 PM

Posted 03 July 2010 - 05:43 AM

QUOTE
I can not update JAVA. I have to have all these versons of JAVA for my business applications(they are java release specific)


It is up to you but you should bear in mind that old Java on your computer might lead to reinfection. You don't need and older version when you install the latest version that is Java 6 update 20. If you don't want to use Javara you can do it as follows:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the Download JRE button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

#9 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 03 July 2010 - 09:56 AM

Here are the results of the eset scan.
thanks,
mike

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=70610ee426015e46b2d2310bb5bcd6af
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-03 01:07:50
# local_time=2010-07-03 08:07:50 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=130736
# found=2
# cleaned=0
# scan_time=5533
C:\Documents and Settings\cyorkmi\Application Data\Qaek\exla.exe a variant of Win32/Kryptik.FGX trojan 00000000000000000000000000000000 I
C:\pic micro\DVD_Fab_Platinum_v6[1].0.1.0.rar a variant of MSIL/TrojanDropper.Agent.E trojan 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=70610ee426015e46b2d2310bb5bcd6af
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-03 02:50:08
# local_time=2010-07-03 09:50:08 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=130884
# found=2
# cleaned=2
# scan_time=5582
C:\Documents and Settings\cyorkmi\Application Data\Qaek\exla.exe a variant of Win32/Kryptik.FGX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\pic micro\DVD_Fab_Platinum_v6[1].0.1.0.rar a variant of MSIL/TrojanDropper.Agent.E trojan (deleted - quarantined) 00000000000000000000000000000000 C


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:52 PM

Posted 03 July 2010 - 05:34 PM

It looks good. thumbup2.gif
  1. You may delete any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  3. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing keepncool. smile.gif

#11 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 03 July 2010 - 06:21 PM

Thanks for all your help, it is much better now.
The only thing i am worried about is a redirect i got when i tried to log on to my bank's site.
it sent me to Visa Advanced Verification(and was asking for lots of personal info) i called the bank and verified
it was a phishing scheme. It only appeared when i was trying to log into my online banking.
If you have any ideas, please let me know.
thanks
mike

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:52 PM

Posted 03 July 2010 - 06:39 PM

Let's take a deeper look at your system.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#13 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 04 July 2010 - 07:26 AM

The "disable symantic endpoint protection" tab is grayed out and not available. is there anyway else to disable it?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:52 PM

Posted 04 July 2010 - 11:05 AM

Run ComboFix it in Safe Mode with networking but if it needed a reboot let it boot in normal mode.

Start in Safe Mode Using the F8 key:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode with networking menu item.
  • Press the Enter key.
  • Log to your usual account.


#15 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 04 July 2010 - 12:17 PM

Here is combofix log.
thanks,
mike


ComboFix 10-07-03.06 - cyorkmi 07/04/2010 10:42:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3036.1624 [GMT -5:00]
Running from: c:\documents and settings\cyorkmi\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\cyorkmi\Application Data\Qaek\exla.exe
c:\documents and settings\cyorkmi\DataRefreshUI_5.0.0.8300.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR01.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR04.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR0401.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR05.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR06.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR07.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR08.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR0A.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR0B.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR0C.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR0D.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR0E.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR10.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR11.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR12.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR13.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR14.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR15.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR16.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR1601.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR19.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR1D.dll
c:\program files\IBM\Lotus\Notes\framework\brokerbridge\res\OfficeAddinR1F.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR01.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR04.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR0401.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR05.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR06.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR07.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR08.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR0A.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR0B.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR0C.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR0D.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR0E.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR10.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR11.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR12.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR13.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR14.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR15.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR16.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR1601.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR19.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR1D.dll
c:\program files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.collaboration.realtime.oi.smarttagsFiles_8.0.0.20080904-1238\brokerbridge\res\OfficeAddinR1F.dll
c:\program files\InstallShield Installation Information\{051C2D31-B596-4D1D-A72E-CF221BE05B24}\_setup.dll
c:\program files\InstallShield Installation Information\{0F61C099-85FF-4CD1-88D3-309D468DD7FE}\_setup.dll
c:\program files\InstallShield Installation Information\{174B8098-D14E-46A5-8D48-F3EDC5C69A3B}\_setup.dll
c:\program files\InstallShield Installation Information\{1C692985-2CE7-4BBF-B994-A8FEA733C44F}\_setup.dll
c:\program files\InstallShield Installation Information\{21AE2998-4E92-4B1A-B911-5C479D360B2D}\_setup.dll
c:\program files\InstallShield Installation Information\{24012758-7BCA-425C-BB7F-B1BA7B62931A}\_setup.dll
c:\program files\InstallShield Installation Information\{2A878BC6-DF5B-4AA3-B7B7-9C1877E68BA7}\_setup.dll
c:\program files\InstallShield Installation Information\{2CD4929E-E42D-40EF-9300-693FAC1850E3}\_setup.dll
c:\program files\InstallShield Installation Information\{309EA7E3-DBD6-49D7-ABFE-31B21D181F51}\_setup.dll
c:\program files\InstallShield Installation Information\{3DF5C968-6701-4EFF-B9A9-0CE21F753A75}\_setup.dll
c:\program files\InstallShield Installation Information\{497DD967-5769-4A9F-9570-D10907A10A86}\_setup.dll
c:\program files\InstallShield Installation Information\{616EF735-2592-4BF0-B788-799EF23C496B}\_setup.dll
c:\program files\InstallShield Installation Information\{8355D577-90AD-4BBA-8883-835E6D284000}\_setup.dll
c:\program files\InstallShield Installation Information\{8410F4AB-624F-4358-9DC9-28CD902B699C}\_setup.dll
c:\program files\InstallShield Installation Information\{8DF11917-851C-4085-91FE-B0DB4AFB4D98}\_setup.dll
c:\program files\InstallShield Installation Information\{9E6B65A0-854B-4BD9-9A9A-7913EDFC3A98}\_setup.dll
c:\program files\InstallShield Installation Information\{A2712A5C-2595-4C57-A7E4-55C5109D8ABA}\_setup.dll
c:\program files\InstallShield Installation Information\{CE9586DE-F3B6-479E-80F5-F5D90AF0342A}\_setup.dll
c:\program files\InstallShield Installation Information\{D0F32AD9-3CA6-4839-92B1-F444856182B0}\_setup.dll
c:\program files\InstallShield Installation Information\{D92D4181-EAAC-4DBD-A8B0-E0B2DA7051B6}\_setup.dll
c:\program files\InstallShield Installation Information\{DA631334-39D3-4273-AB6B-D587C779A215}\_setup.dll
c:\program files\InstallShield Installation Information\{E2511B21-2389-4E50-A78D-95C38C87D15C}\_setup.dll
c:\program files\InstallShield Installation Information\{E2C5EA83-2BED-4F2D-97C7-82FA5EF1AAC0}\_setup.dll
c:\program files\InstallShield Installation Information\{ECBB5B89-1A70-4710-BEB9-3DC22A3CA637}\_setup.dll
c:\program files\InstallShield Installation Information\{EEE87304-D12B-4FC1-A116-7D11FA14E086}\_setup.dll
c:\program files\InstallShield Installation Information\{FA8D0FB6-3293-4B3A-9F4E-01CAB7FE020E}\_setup.dll
c:\windows\desktop
c:\windows\desktop\START.SBP
c:\windows\system32\Cache
c:\windows\system32\UNWISE.EXE
c:\windows\UNWISE.EXE

----- BITS: Possible infected sites -----

hxxp://c7mdcs084.cg.na.jci.com:8530
.
((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-04 15:49 . 2010-07-04 15:49 53248 ----a-w- c:\temp\catchme.dll
2010-07-04 15:42 . 2010-07-04 15:42 -------- d-----w- c:\temp\WPDNSE
2010-07-04 15:34 . 2010-07-04 15:34 16384 ----atw- c:\temp\Perflib_Perfdata_10c.dat
2010-07-04 15:34 . 2010-07-04 15:34 16384 ----atw- c:\temp\Perflib_Perfdata_4ec.dat
2010-07-04 15:33 . 2010-07-04 15:33 16384 ----atw- c:\temp\Perflib_Perfdata_2b8.dat
2010-07-03 17:02 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-03 17:02 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-03 12:53 . 2010-07-03 12:53 503808 ----a-w- c:\documents and settings\cyorkmi\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e137cdd-n\msvcp71.dll
2010-07-03 12:53 . 2010-07-03 12:53 348160 ----a-w- c:\documents and settings\cyorkmi\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e137cdd-n\msvcr71.dll
2010-07-03 12:53 . 2010-07-03 12:53 499712 ----a-w- c:\documents and settings\cyorkmi\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e137cdd-n\jmc.dll
2010-07-03 12:53 . 2010-07-03 12:53 -------- d-----w- c:\temp\hsperfdata_cyorkmi
2010-07-03 11:27 . 2010-07-03 11:27 -------- d-----w- c:\program files\ESET
2010-07-02 03:54 . 2010-07-02 03:54 -------- d-----w- c:\program files\CCleaner
2010-06-28 18:12 . 2010-07-04 15:47 -------- d-----w- c:\temp\VBE
2010-06-28 18:12 . 2010-07-04 15:47 -------- d-----w- c:\temp\Excel8.0
2010-06-26 21:38 . 2010-07-03 23:02 -------- d-----w- C:\spyware
2010-06-24 22:28 . 2010-07-02 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-24 22:28 . 2010-06-24 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-24 05:47 . 2010-06-24 11:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\aignfafja
2010-06-23 03:37 . 2010-06-24 11:12 63488 ----a-w- c:\documents and settings\cyorkmi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-23 03:37 . 2010-06-23 03:37 52224 ----a-w- c:\documents and settings\cyorkmi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-23 03:37 . 2010-06-24 11:12 117760 ----a-w- c:\documents and settings\cyorkmi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-23 03:36 . 2010-06-23 03:36 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\SUPERAntiSpyware.com
2010-06-21 09:11 . 2010-06-21 09:11 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-20 16:59 . 2010-06-24 05:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-20 16:37 . 2010-06-20 17:10 -------- d-----w- c:\documents and settings\cyorkmi\Local Settings\Application Data\mmrmbriko
2010-06-20 14:39 . 2010-06-24 15:02 120 ----a-w- c:\windows\Kzabuyanamisu.dat
2010-06-20 14:39 . 2010-06-24 10:44 0 ----a-w- c:\windows\Erepahemofi.bin
2010-06-20 05:19 . 2010-06-20 05:19 -------- d-----w- c:\documents and settings\cyorkmi\Local Settings\Application Data\WBFSManager
2010-06-20 05:18 . 2010-06-20 05:18 -------- d-----w- c:\program files\WBFS
2010-06-18 17:13 . 2010-06-18 17:13 6656 ----a-w- c:\windows\system32\haspvdd.dll
2010-06-18 17:13 . 2010-06-18 17:13 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2010-06-18 17:13 . 2010-06-18 17:13 383 ----a-w- c:\windows\system32\haspdos.sys
2010-06-18 17:13 . 2010-06-18 17:13 264704 ----a-w- c:\windows\system32\hlvdd.dll
2010-06-18 17:13 . 2010-06-18 17:13 -------- d-----w- C:\AZ Commercial
2010-06-18 17:13 . 2003-04-18 22:46 1233920 ------w- c:\windows\system32\msxml4.dll
2010-06-18 17:13 . 2003-04-18 22:29 82432 ------w- c:\windows\system32\msxml4r.dll
2010-06-18 17:13 . 2003-04-18 22:29 44544 ------w- c:\windows\system32\msxml4a.dll
2010-06-18 17:12 . 2010-06-18 17:16 -------- d-----w- C:\ALLDATAW
2010-06-18 17:06 . 2010-06-18 17:06 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\Sonic
2010-06-18 17:06 . 2010-06-18 17:06 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\Leadertech
2010-06-18 17:06 . 2006-11-22 15:01 693760 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-06-18 17:05 . 2005-06-21 16:10 24576 ----a-w- c:\windows\system32\hdsuinst.exe
2010-06-18 17:05 . 2006-12-20 15:00 2511360 ----a-w- c:\windows\system32\haspds_windows.dll
2010-06-18 16:02 . 2010-06-18 16:02 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-17 19:53 . 2010-06-17 19:53 -------- d-----w- c:\windows\JCITemplate
2010-06-16 02:51 . 2010-06-16 02:51 -------- d-----w- c:\program files\7-Zip
2010-06-10 19:47 . 2010-07-03 16:08 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\Anibdi
2010-06-08 00:04 . 2010-06-08 10:13 -------- d-----w- C:\books

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 13:32 . 2010-06-02 22:08 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\Qaek
2010-07-02 02:36 . 2006-02-28 12:00 360320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-22 19:18 . 2010-05-26 12:57 4 ----a-w- c:\windows\vx86036.dat
2010-06-20 16:43 . 2010-05-05 02:28 335032 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-18 17:12 . 2008-06-28 21:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-18 16:11 . 2010-04-19 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-18 16:02 . 2010-04-19 15:49 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-04 11:51 . 2010-04-20 16:49 -------- d-----w- c:\program files\SoftGate
2010-06-01 21:27 . 2008-06-28 21:27 -------- d-----w- c:\program files\Hewlett-Packard
2010-05-28 21:56 . 2010-05-28 21:56 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\Johnson Controls
2010-05-27 03:13 . 2010-05-27 03:13 -------- d-----w- c:\program files\Windows Media Connect 2
2010-05-26 14:14 . 2010-04-23 16:26 -------- d-----w- c:\program files\Johnson Controls, Inc
2010-05-26 13:59 . 2010-05-26 13:59 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\eRoom
2010-05-26 13:59 . 2010-05-26 13:59 -------- d-----w- c:\program files\eRoom 7
2010-05-23 21:35 . 2010-05-18 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-22 23:22 . 2010-05-22 23:22 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\IGC
2010-05-22 23:22 . 2010-05-22 23:22 -------- d-----w- c:\program files\IGC
2010-05-18 01:04 . 2010-05-18 01:04 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-05-15 14:30 . 2010-05-15 14:21 -------- d-----w- c:\program files\Kroll Ontrack
2010-05-15 12:46 . 2010-05-15 12:46 -------- d-----w- c:\program files\GetData
2010-05-15 12:45 . 2010-05-15 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-14 01:37 . 2010-05-14 01:37 0 ----a-w- c:\windows\nsreg.dat
2010-05-13 18:47 . 2010-05-13 17:50 4987 ----a-w- C:\bradyprinterlog.dat
2010-05-10 01:00 . 2010-04-19 17:41 61096 ----a-w- c:\documents and settings\cyorkmi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-10 00:59 . 2010-05-10 00:59 -------- d-----w- c:\program files\Proteus 7.6sp4
2010-05-10 00:45 . 2010-05-10 00:45 -------- d-----w- c:\program files\Common Files\Labcenter Electronics
2010-05-10 00:45 . 2010-05-10 00:45 -------- d-----w- c:\program files\Labcenter Electronics
2010-05-09 19:45 . 2010-05-09 19:19 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\Panasonic
2010-05-09 19:18 . 2010-05-09 19:18 -------- d-----w- c:\program files\Panasonic
2010-05-09 19:17 . 2010-05-09 19:17 -------- d-----w- c:\documents and settings\cyorkmi\Application Data\InstallShield
2010-05-09 18:07 . 2010-05-09 18:07 -------- d-----w- c:\program files\ImageConverter Plus
2010-05-09 16:16 . 2010-05-09 16:16 -------- d-----w- c:\program files\Fluke
2010-05-09 16:07 . 2010-05-09 16:05 -------- d-----w- c:\program files\Common Files\Brady
2010-05-09 16:05 . 2010-05-09 16:05 -------- d-----w- c:\program files\Brady
2010-05-06 19:52 . 2010-05-06 19:52 130 ----a-w- c:\documents and settings\cyorkmi\Local Settings\Application Data\fusioncache.dat
2010-04-29 20:39 . 2010-05-04 20:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-05-04 20:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 23:38 . 2010-05-09 18:07 182608 ----a-w- c:\windows\system32\cnvshell.dll
2010-04-22 14:07 . 2010-04-22 14:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-19 15:48 . 2010-04-19 15:48 2678 ----a-w- c:\windows\java\Packages\Data\41J97T39.DAT
2010-04-19 15:48 . 2010-04-19 15:48 2678 ----a-w- c:\windows\java\Packages\Data\DVFHBBR7.DAT
2010-04-19 15:48 . 2010-04-19 15:48 2678 ----a-w- c:\windows\java\Packages\Data\YDJ5RP7R.DAT
2010-04-19 15:48 . 2010-04-19 15:48 2678 ----a-w- c:\windows\java\Packages\Data\OUMR33NX.DAT
2010-04-19 15:48 . 2010-04-19 15:48 2678 ----a-w- c:\windows\java\Packages\Data\5ZZNRJ9B.DAT
2010-04-19 15:48 . 2010-04-19 15:48 2232 ----a-w- c:\windows\java\Packages\Data\7HJPFF7J.DAT
2010-04-19 15:48 . 2010-04-19 15:48 155995 ----a-w- c:\windows\java\Packages\WYTJ5F7F.ZIP
2010-04-19 15:38 . 2010-04-19 15:38 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-19 15:38 . 2010-04-19 15:38 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-19 15:33 . 2010-04-19 15:33 0 ----a-w- c:\windows\ativpsrm.bin
2010-04-19 15:31 . 2010-04-19 15:31 108544 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-19 15:31 . 2010-04-19 15:31 104960 ------w- c:\windows\system32\pxinsi64.exe
2010-04-19 15:31 . 2004-07-13 07:03 20576 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-04-19 15:13 . 2010-04-19 15:13 1638400 ----a-w- c:\windows\system32\Gdiplus.dll
2005-11-15 20:32 . 2005-11-15 20:32 3638 ----a-r- c:\program files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-05-12 143360]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-27 115560]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"AccessManager"="c:\program files\AccessManager\Client\AccessMgr.exe" [2004-03-04 618496]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"Softgate"="c:\program files\SoftGate\SoftGateNotify.exe" [2010-02-03 35328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-22 149280]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]

c:\documents and settings\cyorkmi\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2010-5-26 153352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader\reader_sl.exe [2005-9-23 29696]
AIM Version Update Reminder.lnk - c:\program files\Johnson Controls\AIM\AimVer\reminder.exe [2010-4-19 519168]
Auto run of VideoCam Suite 1.0.lnk - c:\program files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe [2010-5-9 161160]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-12 576104]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2010-4-19 1466384]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2010-4-19 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\AMInit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1202660629-682003330-108885\Scripts\Logon\0\0]
"Script"=NashvilleDrivemappings.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1202660629-682003330-108885\Scripts\Logon\0\1]
"Script"=makeLocalAdmin.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [5/4/2010 4:03 PM 40560]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [9/22/2008 4:47 PM 24064]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [9/21/2007 3:40 AM 62776]
R2 MIIIAQ;Metasys III Action Queue;c:\inetpub\Wwwroot\MetasysIII\Tool\bin\ActionQueue.exe [12/9/2009 11:07 AM 192512]
R2 TSM Scheduler;TSM Scheduler;c:\program files\tivoli\tsm\baclient\dsmcsvc.exe [2/21/2007 1:14 PM 3117056]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [9/22/2008 4:49 PM 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [4/19/2010 10:41 AM 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/11/2008 3:23 PM 240344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/4/2010 7:09 AM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/11/2008 3:33 PM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [10/2/2008 2:57 PM 47616]
S1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [5/29/2007 6:55 PM 9216]
S2 AMBroker;Access Manager Configuration Service;c:\program files\AccessManager\Client\AMBroker.exe [3/4/2004 2:57 PM 81920]
S2 ChkLpt;ChkLpt;c:\windows\system32\drivers\Chklpt.sys [6/19/2004 2:30 AM 6364]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/27/2009 11:20 AM 23888]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\AccessManager\Client\DAPlugin.exe [3/4/2004 2:58 PM 81920]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k5132.sys --> c:\windows\system32\DRIVERS\e1k5132.sys [?]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [5/17/2006 2:30 AM 29404]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [9/21/2007 3:40 AM 66872]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\AccessManager\SMOC\spi_da.exe [4/17/2003 9:59 AM 81920]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.johnsoncontrols.com/
uInternet Connection Wizard,ShellNext = hxxp://localhost/SCT
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.johnsoncontrols.com/eRoomSetup/client.cab
FF - ProfilePath - c:\documents and settings\cyorkmi\Application Data\Mozilla\Firefox\Profiles\6szzaxkv.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJPI150_13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npeRoom7.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{B53ACCA6-3F22-B04D-FFE9-9998B7DB6F98} - c:\documents and settings\cyorkmi\Application Data\Qaek\exla.exe
SafeBoot-klmdb.sys
SafeBoot-Symantec Antvirus
AddRemove-AIM Tools - Systems - c:\windows\UNWISE.EXE
AddRemove-HASP HL Device Driver - c:\windows\system32\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-04 10:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1556)
c:\windows\system32\amgina.dll
c:\windows\system32\amginar.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-04 10:51:15
ComboFix-quarantined-files.txt 2010-07-04 15:51

Pre-Run: 88,783,405,056 bytes free
Post-Run: 88,760,979,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6AA9E

Edited by keepncool, 04 July 2010 - 12:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users