Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results Hijack, Unrequested pop-ups in Firefox


  • This topic is locked This topic is locked
11 replies to this topic

#1 JonG10

JonG10

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 22 August 2010 - 11:53 AM

I have malware that is causing search results in Firefox to be redirected to other pages. I also get occasional unrequested pop-ups for work at home videos, etc.

I've run 3-4 different virus scanners and malware removers on the system. Most did not find anything. Malwarebyte's Anti-Malware found and fixed a couple of things, and ESET found and quarantined a few instances of Win32/Cimg.DF trojan. I am still getting the hijacked search results even though MBAM and ESET scans are coming up clean. I've also run CC cleaner and ATF-Cleaner to get rid of extraneous temp files and registry entries. I ran Rootkit Unhooker and it has some suspicious findings but I have not attempted to unhook anything. I've also run HijackThis but only observed the results without acting on anything in the log file. In preparation for this post/process I ran DeFogger.

One note - I have added entries to my hosts file and the entries I see in the DDS report are all ones that I have added. Also, though I've taken some self-help steps, now that I am asking for assistance I am taking no further actions unless directed. Thanks in advance for your time and assistance.

Here is my DDS.txt:



DDS (Ver_10-03-17.01) - NTFSx86
Run by GraffJ at 10:29:23.00 on Sun 08/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2699 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r201108\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Download\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pidgin] c:\program files\pidgin\pidgin.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [<NO NAME>]
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
LSA: Authentication Packages = msv1_0 setuid
Hosts: 172.20.1.200 infra.bka-inc.com
Hosts: 172.20.1.201 database.dev.bka-inc.com
Hosts: 172.20.1.202 application.dev.bka-inc.com
Hosts: 172.20.1.203 reports.dev.bka-inc.com
Hosts: 172.20.1.204 database.test.bka-inc.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\graffj\applic~1\mozilla\firefox\profiles\6n7p0u1w.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-13 198184]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-7-31 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-7-31 21352]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-11-11 451872]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 ncpclcfg;ncpclcfg;c:\program files\watchguard\mobile vpn\ncpclcfg.exe [2010-3-27 86016]
R2 ncprwsnt;ncprwsnt;c:\program files\watchguard\mobile vpn\NCPRWSNT.EXE [2010-3-27 1065480]
R2 NcpSec;NcpSec;c:\program files\watchguard\mobile vpn\NCPSEC.EXE [2010-3-27 32768]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 rwsrsu;RwsRsu;c:\program files\watchguard\mobile vpn\rwsrsu.exe [2010-3-27 850432]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-23 112128]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-12-23 32808]
R3 NcpFiltMP;NcpFiltMP;c:\windows\system32\drivers\ncpvaxp.sys [2010-3-27 79528]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [2009-2-12 99248]
S3 GR433S;GR433S;c:\windows\system32\drivers\GR433s.sys [2009-9-8 66896]
S3 NcpFilt;Ncp Filter Service;c:\windows\system32\drivers\ncpvaxp.sys [2010-3-27 79528]
S3 ncpvaxp;NCP Secure Client Virtual Adapter Driver;c:\windows\system32\drivers\ncpvaxp.sys [2010-3-27 79528]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [2010-4-27 54544]
S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [2010-4-27 160400]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [2010-4-27 12048]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [2010-4-27 160400]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [2010-4-27 115216]
S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [2010-4-27 160400]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [2010-4-27 160400]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe [2009-1-16 140208]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-08-22 13:09:15 0 ----a-w- c:\documents and settings\graffj\defogger_reenable
2010-08-22 01:04:39 0 d-----w- c:\program files\CCleaner
2010-08-21 11:46:08 0 d--h--w- c:\windows\system32\GroupPolicy
2010-08-21 02:48:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-20 21:04:20 0 d-----w- c:\program files\ESET
2010-08-20 20:21:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-08-20 19:19:26 0 d-----w- c:\docume~1\graffj\applic~1\ScanSpyware
2010-08-20 18:03:46 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-20 17:58:51 28672 ---ha-w- C:\SZKGFS.dat
2010-08-20 17:47:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-08-20 17:46:30 0 d-----w- c:\program files\common files\iS3
2010-08-20 17:46:29 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-08-20 17:13:13 37248 ----a-w- c:\windows\system32\drivers\gtakoftn.sys
2010-08-20 16:31:58 0 d-----w- c:\docume~1\graffj\applic~1\Malwarebytes
2010-08-20 16:31:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-20 16:31:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-20 16:31:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 16:31:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-20 16:29:01 0 d-----w- c:\program files\Trend Micro
2010-08-20 16:03:31 0 d-----w- c:\windows\system32\MpEngineStore
2010-08-18 21:06:27 0 d-----w- c:\program files\Winamp Detect

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 10:30:18.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:14 PM

Posted 26 August 2010 - 01:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 JonG10

JonG10
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 26 August 2010 - 05:55 PM

Hi, Shannon, thanks for your response. No worries on the response time; I'm glad to have any help at all.
I am still experiencing search result hijacking and occasional browser pop-up windows. I ran DDS; logs are below and attached. The GMER log is also attached. Regarding my GMER log I noticed the following entry:

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

Does this indicate I have CD emulation software running? I ran DeFogger the other day when I started this thread but did not run it again today before running GMER again. It could be nothing but I wanted to mention it since I have already run DeFogger and the instructions indicate not to run it again unless instructed.




DDS (Ver_10-03-17.01) - NTFSx86
Run by GraffJ at 15:44:39.12 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2939 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r201108\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\GraffJ\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pidgin] c:\program files\pidgin\pidgin.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [<NO NAME>]
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
LSA: Authentication Packages = msv1_0 setuid
Hosts: 172.20.1.200 infra.bka-inc.com
Hosts: 172.20.1.201 database.dev.bka-inc.com
Hosts: 172.20.1.202 application.dev.bka-inc.com
Hosts: 172.20.1.203 reports.dev.bka-inc.com
Hosts: 172.20.1.204 database.test.bka-inc.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\graffj\applic~1\mozilla\firefox\profiles\6n7p0u1w.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-23 112128]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-12-23 32808]
R3 NcpFiltMP;NcpFiltMP;c:\windows\system32\drivers\ncpvaxp.sys [2010-3-27 79528]
S3 GR433S;GR433S;c:\windows\system32\drivers\GR433s.sys [2009-9-8 66896]
S3 NcpFilt;Ncp Filter Service;c:\windows\system32\drivers\ncpvaxp.sys [2010-3-27 79528]
S3 ncpvaxp;NCP Secure Client Virtual Adapter Driver;c:\windows\system32\drivers\ncpvaxp.sys [2010-3-27 79528]

============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-08-26 12:42:19 1505 ----a-w- c:\documents and settings\graffj\.recently-used.xbel
2010-08-22 13:09:15 0 ----a-w- c:\documents and settings\graffj\defogger_reenable
2010-08-22 01:04:39 0 d-----w- c:\program files\CCleaner
2010-08-21 11:46:08 0 d--h--w- c:\windows\system32\GroupPolicy
2010-08-21 02:48:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-20 21:04:20 0 d-----w- c:\program files\ESET
2010-08-20 20:21:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-08-20 19:19:26 0 d-----w- c:\docume~1\graffj\applic~1\ScanSpyware
2010-08-20 18:03:46 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-20 17:58:51 28672 ---ha-w- C:\SZKGFS.dat
2010-08-20 17:47:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-08-20 17:46:30 0 d-----w- c:\program files\common files\iS3
2010-08-20 17:46:29 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-08-20 17:13:13 37248 ----a-w- c:\windows\system32\drivers\gtakoftn.sys
2010-08-20 16:31:58 0 d-----w- c:\docume~1\graffj\applic~1\Malwarebytes
2010-08-20 16:31:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-20 16:31:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-20 16:31:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 16:31:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-20 16:29:01 0 d-----w- c:\program files\Trend Micro
2010-08-20 16:03:31 0 d-----w- c:\windows\system32\MpEngineStore
2010-08-18 21:06:27 0 d-----w- c:\program files\Winamp Detect

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 15:46:11.73 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:14 PM

Posted 29 August 2010 - 09:17 AM

Hi JonG10,




Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

Step1
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop.
  3. Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  4. If an infected file is detected, the default action will be Cure, click on Continue.
  5. If a suspicious file is detected, the default action will be Skip, click on Continue.
  6. It may ask you to reboot the computer to complete the process. Click on Reboot Now
  7. If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  8. If a reboot is required, the report can also be found in your root directory, (usually C:\ TDSSKiller folder). Please copy and paste the contents of that file here.


Step2


  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the OTL on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the Run Scan button.
  6. Two reports will open, copy and paste them in your next reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply, please post back:


1.TDSSKiller.txt
2.OTListIt.txt and Extra.txt Thanks



#5 JonG10

JonG10
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 29 August 2010 - 10:31 AM

Hi, sundavis - thanks for the welcome and help!

When I ran OTL I checked the "Scan all users box". When it was finished scanning only a single window named OTL.Txt opened up. I pasted the contents of that window below.


Log from TDSSKiller:


2010/08/29 10:33:03.0114 TDSS rootkit removing tool 2.4.1.3 Aug 27 2010 08:53:42
2010/08/29 10:33:03.0114 ================================================================================
2010/08/29 10:33:03.0114 SystemInfo:
2010/08/29 10:33:03.0114
2010/08/29 10:33:03.0114 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/29 10:33:03.0114 Product type: Workstation
2010/08/29 10:33:03.0114 ComputerName: PROTELLAP051
2010/08/29 10:33:03.0114 UserName: GraffJ
2010/08/29 10:33:03.0114 Windows directory: C:\WINDOWS
2010/08/29 10:33:03.0114 System windows directory: C:\WINDOWS
2010/08/29 10:33:03.0114 Processor architecture: Intel x86
2010/08/29 10:33:03.0114 Number of processors: 2
2010/08/29 10:33:03.0114 Page size: 0x1000
2010/08/29 10:33:03.0114 Boot type: Normal boot
2010/08/29 10:33:03.0114 ================================================================================
2010/08/29 10:33:03.0239 Initialize success
2010/08/29 10:33:07.0849 ================================================================================
2010/08/29 10:33:07.0849 Scan started
2010/08/29 10:33:07.0849 Mode: Manual;
2010/08/29 10:33:07.0849 ================================================================================
2010/08/29 10:33:08.0474 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/08/29 10:33:08.0567 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/29 10:33:08.0583 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/29 10:33:08.0646 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/08/29 10:33:08.0692 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/29 10:33:08.0739 AESTAud (20f078136f3bdc4c0405c0527b769303) C:\WINDOWS\system32\drivers\AESTAud.sys
2010/08/29 10:33:08.0786 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/29 10:33:08.0817 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/08/29 10:33:08.0833 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/08/29 10:33:08.0849 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/08/29 10:33:08.0864 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/08/29 10:33:08.0896 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/08/29 10:33:08.0927 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/08/29 10:33:08.0942 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/08/29 10:33:08.0958 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/08/29 10:33:08.0974 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/08/29 10:33:09.0005 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/29 10:33:09.0036 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/08/29 10:33:09.0052 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/08/29 10:33:09.0067 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/08/29 10:33:09.0114 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/29 10:33:09.0161 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/29 10:33:09.0192 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/29 10:33:09.0224 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/29 10:33:09.0271 b57w2k (58911390115465bf6d8048f21f48655a) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/08/29 10:33:09.0333 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/08/29 10:33:09.0380 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/29 10:33:09.0442 btaudio (f688bbbe8e3e7e03e35caabd66616ddb) C:\WINDOWS\system32\drivers\btaudio.sys
2010/08/29 10:33:09.0489 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/08/29 10:33:09.0521 BTKRNL (38a3331e2f690d4cdc9de0604b9416e5) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/08/29 10:33:09.0567 BTWDNDIS (80f61de965c116051614ac2f04222ff7) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/08/29 10:33:09.0583 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2010/08/29 10:33:09.0599 BTWUSB (d5af663711660d32ec230c6aaf7b6b83) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/08/29 10:33:09.0614 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/08/29 10:33:09.0630 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/29 10:33:09.0646 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/08/29 10:33:09.0661 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/29 10:33:09.0677 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/29 10:33:09.0692 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/29 10:33:09.0739 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/08/29 10:33:09.0771 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/08/29 10:33:09.0786 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/08/29 10:33:09.0802 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/08/29 10:33:09.0864 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/08/29 10:33:09.0911 cvusbdrv (6fdbd7618935247d24a84d673d796ad0) C:\WINDOWS\system32\Drivers\cvusbdrv.sys
2010/08/29 10:33:09.0942 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/08/29 10:33:09.0958 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/08/29 10:33:09.0989 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/29 10:33:10.0021 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2010/08/29 10:33:10.0021 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2010/08/29 10:33:10.0052 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/08/29 10:33:10.0052 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
2010/08/29 10:33:10.0067 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2010/08/29 10:33:10.0083 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2010/08/29 10:33:10.0099 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2010/08/29 10:33:10.0114 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2010/08/29 10:33:10.0130 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2010/08/29 10:33:10.0130 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2010/08/29 10:33:10.0192 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/29 10:33:10.0224 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/29 10:33:10.0239 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/29 10:33:10.0286 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/29 10:33:10.0302 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/08/29 10:33:10.0349 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/29 10:33:10.0364 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/08/29 10:33:10.0380 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/08/29 10:33:10.0411 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/29 10:33:10.0427 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/29 10:33:10.0458 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/29 10:33:10.0458 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/29 10:33:10.0489 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/29 10:33:10.0505 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/29 10:33:10.0521 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/29 10:33:10.0552 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/29 10:33:10.0583 GR433S (9a673b6cf8b78487219fc42a70d4492e) C:\WINDOWS\system32\Drivers\GR433s.sys
2010/08/29 10:33:10.0614 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/29 10:33:10.0630 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/29 10:33:10.0661 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/08/29 10:33:10.0708 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/29 10:33:10.0724 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/08/29 10:33:10.0739 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/08/29 10:33:10.0771 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/29 10:33:10.0802 iaStor (692830b048aacd7e0d6ededf098acc01) C:\WINDOWS\system32\drivers\iaStor.sys
2010/08/29 10:33:10.0849 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/29 10:33:10.0864 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/08/29 10:33:10.0896 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/29 10:33:10.0911 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/29 10:33:10.0942 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/29 10:33:10.0942 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/29 10:33:10.0974 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/29 10:33:11.0005 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/29 10:33:11.0021 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/29 10:33:11.0052 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/29 10:33:11.0067 isapnp (183efdc4946d090266a1f8e1f6219a3b) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/29 10:33:11.0067 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: 183efdc4946d090266a1f8e1f6219a3b, Fake md5: 05a299ec56e52649b1cf2fc52d20f2d7
2010/08/29 10:33:11.0067 isapnp - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/29 10:33:11.0083 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/29 10:33:11.0099 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/29 10:33:11.0146 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/29 10:33:11.0192 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/29 10:33:11.0224 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/29 10:33:11.0271 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/29 10:33:11.0302 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/29 10:33:11.0333 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/29 10:33:11.0349 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/29 10:33:11.0380 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/08/29 10:33:11.0380 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/29 10:33:11.0427 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/29 10:33:11.0474 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/29 10:33:11.0505 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/29 10:33:11.0521 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/29 10:33:11.0536 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/29 10:33:11.0552 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/29 10:33:11.0567 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/29 10:33:11.0614 NcpFilt (259e62a7edbcca4992e9af04b933c5cb) C:\WINDOWS\system32\DRIVERS\ncpvaxp.sys
2010/08/29 10:33:11.0630 NcpFiltMP (259e62a7edbcca4992e9af04b933c5cb) C:\WINDOWS\system32\DRIVERS\ncpvaxp.sys
2010/08/29 10:33:11.0630 ncpvaxp (259e62a7edbcca4992e9af04b933c5cb) C:\WINDOWS\system32\DRIVERS\ncpvaxp.sys
2010/08/29 10:33:11.0661 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/29 10:33:11.0677 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/29 10:33:11.0692 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/29 10:33:11.0708 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/29 10:33:11.0724 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/29 10:33:11.0739 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/29 10:33:11.0755 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/29 10:33:11.0786 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/29 10:33:11.0833 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2010/08/29 10:33:11.0849 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/29 10:33:11.0896 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/29 10:33:11.0911 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/29 10:33:12.0067 nv (25167771f5afad71808b0080fe4f2312) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/29 10:33:12.0255 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/29 10:33:12.0255 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/29 10:33:12.0286 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/29 10:33:12.0317 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/29 10:33:12.0333 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/29 10:33:12.0349 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/29 10:33:12.0380 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
2010/08/29 10:33:12.0411 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/29 10:33:12.0458 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/29 10:33:12.0489 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/08/29 10:33:12.0552 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/08/29 10:33:12.0583 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/08/29 10:33:12.0646 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/29 10:33:12.0661 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/29 10:33:12.0677 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/29 10:33:12.0724 PTUMWBus (9866479c5c894c3a064eeb6f68618822) C:\WINDOWS\system32\DRIVERS\PTUMWBus.sys
2010/08/29 10:33:12.0771 PTUMWCSP (bde873e80c037f170c7e71835051f0cf) C:\WINDOWS\system32\DRIVERS\PTUMWCSP.sys
2010/08/29 10:33:12.0802 PTUMWFLT (4f840761bb4d674856f6c36f9b66624c) C:\WINDOWS\system32\DRIVERS\PTUMWFLT.sys
2010/08/29 10:33:12.0833 PTUMWMdm (411e332a6426c9b87f5f9b02bcdd15bf) C:\WINDOWS\system32\DRIVERS\PTUMWMdm.sys
2010/08/29 10:33:12.0880 PTUMWNET (bdc1f41f77415a432ca030f30f2ab898) C:\WINDOWS\system32\DRIVERS\PTUMWNET.sys
2010/08/29 10:33:12.0927 PTUMWNSP (08be854076e8a54f3f2e59c89cdcfc96) C:\WINDOWS\system32\DRIVERS\PTUMWNSP.sys
2010/08/29 10:33:12.0942 PTUMWVsp (e4812824cdc46a90dde225c0fd284098) C:\WINDOWS\system32\DRIVERS\PTUMWVsp.sys
2010/08/29 10:33:13.0005 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/29 10:33:13.0036 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/08/29 10:33:13.0067 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/08/29 10:33:13.0067 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/08/29 10:33:13.0099 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/08/29 10:33:13.0114 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/08/29 10:33:13.0146 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/29 10:33:13.0192 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/29 10:33:13.0208 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/29 10:33:13.0224 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/29 10:33:13.0255 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/29 10:33:13.0286 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/29 10:33:13.0302 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/29 10:33:13.0349 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/29 10:33:13.0380 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/29 10:33:13.0411 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2010/08/29 10:33:13.0427 rimsptsk (03d6740e41e86476ef7d1e52ca0b947d) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2010/08/29 10:33:13.0442 rismxdp (d231b577024aa324af13a42f3a807d10) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2010/08/29 10:33:13.0474 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/08/29 10:33:13.0505 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/29 10:33:13.0536 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/29 10:33:13.0567 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/29 10:33:13.0599 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/08/29 10:33:13.0677 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
2010/08/29 10:33:13.0802 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/08/29 10:33:13.0864 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/29 10:33:13.0896 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/29 10:33:13.0958 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/29 10:33:14.0036 STHDA (9baa5e118c8e8726e39d1f60333e0842) C:\WINDOWS\system32\drivers\sthda.sys
2010/08/29 10:33:14.0083 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/29 10:33:14.0114 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/29 10:33:14.0177 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/08/29 10:33:14.0239 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/08/29 10:33:14.0255 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/08/29 10:33:14.0286 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/08/29 10:33:14.0364 SynTP (337eb83164f8bbf79c5d2e45da7bdc51) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/08/29 10:33:14.0396 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/29 10:33:14.0458 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/29 10:33:14.0521 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/29 10:33:14.0552 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/29 10:33:14.0583 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/29 10:33:14.0630 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/08/29 10:33:14.0677 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/29 10:33:14.0739 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/08/29 10:33:14.0786 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/29 10:33:14.0849 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/29 10:33:14.0896 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
2010/08/29 10:33:14.0911 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/29 10:33:14.0958 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/29 10:33:15.0036 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/29 10:33:15.0114 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/29 10:33:15.0130 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/29 10:33:15.0161 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/29 10:33:15.0255 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/08/29 10:33:15.0286 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/08/29 10:33:15.0317 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/29 10:33:15.0380 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/29 10:33:15.0427 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/29 10:33:15.0458 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/29 10:33:15.0536 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/08/29 10:33:15.0583 ================================================================================
2010/08/29 10:33:15.0583 Scan finished
2010/08/29 10:33:15.0583 ================================================================================
2010/08/29 10:33:15.0599 Detected object count: 1
2010/08/29 10:33:40.0427 isapnp (183efdc4946d090266a1f8e1f6219a3b) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/29 10:33:40.0427 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: 183efdc4946d090266a1f8e1f6219a3b, Fake md5: 05a299ec56e52649b1cf2fc52d20f2d7
2010/08/29 10:33:42.0020 Backup copy found, using it..
2010/08/29 10:33:42.0036 C:\WINDOWS\system32\DRIVERS\isapnp.sys - will be cured after reboot
2010/08/29 10:33:42.0036 Rootkit.Win32.TDSS.tdl3(isapnp) - User select action: Cure
2010/08/29 10:33:56.0177 Deinitialize success



OTL.txt:


OTL logfile created on: 8/29/2010 11:25:23 AM - Run 2
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\GraffJ\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.95 Gb Total Space | 121.42 Gb Free Space | 81.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PROTELLAP051
Current User Name: GraffJ
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/29 10:32:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GraffJ\Desktop\OTL.exe
PRC - [2010/08/10 09:57:24 | 000,049,321 | ---- | M] (The Pidgin developer community) -- C:\Program Files\Pidgin\pidgin.exe
PRC - [2010/08/01 16:41:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/02/18 09:39:14 | 001,065,480 | ---- | M] (NCP Engineering GmbH) -- C:\Program Files\WatchGuard\Mobile VPN\NCPRWSNT.EXE
PRC - [2008/12/02 08:33:54 | 000,850,432 | ---- | M] () -- C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe
PRC - [2008/11/11 17:00:26 | 000,451,872 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
PRC - [2008/11/11 16:58:28 | 000,950,048 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
PRC - [2008/10/27 21:11:06 | 000,237,657 | ---- | M] (IDT, Inc.) -- c:\drivers\audio\R201108\stacsv.exe
PRC - [2008/10/06 10:58:18 | 000,032,768 | ---- | M] () -- C:\Program Files\WatchGuard\Mobile VPN\NCPSEC.EXE
PRC - [2008/09/30 09:16:08 | 000,298,536 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
PRC - [2008/09/04 19:28:42 | 000,406,808 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
PRC - [2008/08/18 13:12:42 | 000,598,016 | ---- | M] (Dell, Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
PRC - [2008/07/31 23:41:50 | 000,808,296 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
PRC - [2008/07/31 23:41:50 | 000,021,352 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
PRC - [2008/06/30 12:22:40 | 000,086,016 | ---- | M] (NCP engineering GmbH) -- C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
PRC - [2008/06/15 08:12:18 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/05/23 16:06:08 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/05/13 18:28:44 | 000,198,184 | ---- | M] (ActivIdentity) -- c:\Program Files\ActivIdentity\ActivClient\accoca.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/07 09:21:48 | 000,128,552 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
PRC - [2007/06/11 14:53:14 | 000,455,600 | ---- | M] () -- C:\Program Files\Lexmark 4800 Series\lxdemon.exe
PRC - [2007/06/01 09:06:10 | 000,020,480 | ---- | M] () -- C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
PRC - [2007/05/29 10:07:58 | 000,598,960 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdecoms.exe


========== Modules (SafeList) ==========

MOD - [2010/08/29 10:32:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GraffJ\Desktop\OTL.exe
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/10/20 14:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/02/18 09:39:14 | 001,065,480 | ---- | M] (NCP Engineering GmbH) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile VPN\NCPRWSNT.EXE -- (ncprwsnt)
SRV - [2008/12/02 08:33:54 | 000,850,432 | ---- | M] () [Auto | Running] -- C:\Program Files\WatchGuard\Mobile VPN\rwsrsu.exe -- (rwsrsu)
SRV - [2008/11/11 17:00:26 | 000,451,872 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe -- (dcpsysmgrsvc)
SRV - [2008/10/27 21:11:06 | 000,237,657 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\drivers\audio\R201108\stacsv.exe -- (STacSV)
SRV - [2008/10/06 10:58:18 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\Program Files\WatchGuard\Mobile VPN\NCPSEC.EXE -- (NcpSec)
SRV - [2008/09/04 19:28:42 | 000,406,808 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe -- (buttonsvc32)
SRV - [2008/07/31 23:41:50 | 000,808,296 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -- (Credential Vault Host Control Service)
SRV - [2008/07/31 23:41:50 | 000,021,352 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -- (Credential Vault Host Storage)
SRV - [2008/06/30 12:22:40 | 000,086,016 | ---- | M] (NCP engineering GmbH) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe -- (ncpclcfg)
SRV - [2008/06/15 08:12:20 | 000,354,840 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/05/13 18:28:44 | 000,198,184 | ---- | M] (ActivIdentity) [Auto | Running] -- c:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)
SRV - [2008/05/09 17:59:10 | 000,140,208 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\TEMP\Clt-Inst\vpremote.exe -- (VPREMOTE)
SRV - [2007/05/29 10:07:58 | 000,598,960 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdecoms.exe -- (lxde_device)
SRV - [2007/05/29 10:06:44 | 000,099,248 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdeserv.exe -- (lxdeCATSCustConnectService)
SRV - [2006/07/05 16:19:26 | 000,058,368 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\CVSNT\cvslock.exe -- (cvslock)
SRV - [2006/07/05 16:19:26 | 000,037,888 | ---- | M] (March Hare Software Ltd) [On_Demand | Stopped] -- C:\Program Files\CVSNT\cvsservice.exe -- (cvsnt)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\PCASp50.sys -- (PCASp50)
DRV - [2009/10/27 03:28:50 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWVsp.sys -- (PTUMWVsp)
DRV - [2009/10/27 03:28:44 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWNSP.sys -- (PTUMWNSP)
DRV - [2009/10/27 03:28:38 | 000,115,216 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWNET.sys -- (PTUMWNET)
DRV - [2009/10/27 03:28:32 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWMdm.sys -- (PTUMWMdm)
DRV - [2009/10/27 03:28:26 | 000,012,048 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWFLT.sys -- (PTUMWFLT)
DRV - [2009/10/27 03:28:20 | 000,160,400 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWCSP.sys -- (PTUMWCSP)
DRV - [2009/10/27 03:28:04 | 000,054,544 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTUMWBus.sys -- (PTUMWBus)
DRV - [2009/10/20 14:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/05/25 15:43:58 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/12/10 14:43:04 | 000,079,528 | ---- | M] (NCP Engineering GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ncpvaxp.sys -- (ncpvaxp)
DRV - [2008/12/10 14:43:04 | 000,079,528 | ---- | M] (NCP Engineering GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ncpvaxp.sys -- (NcpFiltMP)
DRV - [2008/12/10 14:43:04 | 000,079,528 | ---- | M] (NCP Engineering GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ncpvaxp.sys -- (NcpFilt)
DRV - [2008/10/28 18:08:46 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/27 21:11:08 | 001,391,418 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/10/27 21:10:54 | 000,112,128 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/09/04 16:57:10 | 000,226,336 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/08/20 22:20:26 | 006,600,160 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/08/18 12:01:26 | 000,037,032 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2008/08/18 12:01:20 | 000,156,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/08/18 12:01:18 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/08/18 12:01:14 | 000,991,016 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/08/18 12:01:12 | 000,534,440 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/08/18 11:37:14 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/08/13 00:28:52 | 000,176,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2008/07/31 23:39:26 | 000,032,808 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV - [2008/07/22 18:08:20 | 000,028,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2008/07/20 23:04:22 | 000,318,488 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/07/20 22:31:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2008/07/20 22:31:18 | 000,056,832 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2008/07/20 22:31:18 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/06/04 16:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
DRV - [2008/04/14 08:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 08:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/23 17:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 17:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 17:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 17:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 17:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 17:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 17:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 17:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 16:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 16:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 16:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 16:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2002/09/13 03:45:40 | 000,066,896 | ---- | M] (Gemplus) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GR433s.sys -- (GR433S)
DRV - [2001/08/17 22:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 22:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 22:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 22:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 22:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 21:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 21:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 21:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 21:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 21:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 21:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 21:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 21:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 21:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 21:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/...?channel=us-smb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
IE - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...?channel=us-smb
IE - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=3081224
IE - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/20 16:23:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/20 07:17:40 | 000,000,000 | ---D | M]

[2009/02/17 09:50:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GraffJ\Application Data\Mozilla\Extensions
[2010/08/28 21:57:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\GraffJ\Application Data\Mozilla\Firefox\Profiles\6n7p0u1w.default\extensions
[2010/08/20 07:13:47 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\GraffJ\Application Data\Mozilla\Firefox\Profiles\6n7p0u1w.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/13 13:20:43 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\GraffJ\Application Data\Mozilla\Firefox\Profiles\6n7p0u1w.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/08/28 21:57:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/14 14:00:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/12 12:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2010/06/15 08:49:54 | 000,001,240 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 172.20.1.200 infra.bka-inc.com
O1 - Hosts: 172.20.1.201 database.dev.bka-inc.com
O1 - Hosts: 172.20.1.202 application.dev.bka-inc.com
O1 - Hosts: 172.20.1.203 reports.dev.bka-inc.com
O1 - Hosts: 172.20.1.204 database.test.bka-inc.com
O1 - Hosts: 172.20.1.205 application.test.bka-inc.com
O1 - Hosts: 172.20.1.206 reports.test.bka-inc.com
O1 - Hosts: 70.183.189.124 aragorn.bka-inc.com
O1 - Hosts: 10.96.0.170 db1
O1 - Hosts: 10.96.0.171 inf0
O1 - Hosts: 10.96.0.172 app1
O1 - Hosts: 10.96.0.173 inf1
O1 - Hosts: 10.96.0.174 app2
O1 - Hosts: 10.96.0.175 inf2
O1 - Hosts: 10.96.0.176 app3
O1 - Hosts: 209.132.225.87 www.quarantine2019.com
O1 - Hosts: 209.132.225.87 quarantine2019.com
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [accrdsub] c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4 - HKLM..\Run: [DellControlPoint] C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell, Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [lxdeamon] C:\Program Files\Lexmark 4800 Series\lxdeamon.exe ()
O4 - HKLM..\Run: [lxdemon.exe] C:\Program Files\Lexmark 4800 Series\lxdemon.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe (The Pidgin developer community)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe (ActivIdentity)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 198.77.116.8 198.77.116.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = protelligent.local
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (msgina.dll) - C:\WINDOWS\System32\msgina.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ackpbsc: DllName - c:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll - c:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
O24 - Desktop WallPaper: C:\Documents and Settings\GraffJ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\GraffJ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (setuid) - C:\WINDOWS\System32\setuid.dll (March-Hare Software Ltd)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{207a4479-ec90-11dd-9f44-0021708a6b56}\Shell - "" = AutoRun
O33 - MountPoints2\{207a4479-ec90-11dd-9f44-0021708a6b56}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{207a4479-ec90-11dd-9f44-0021708a6b56}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/08/29 11:18:34 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\GraffJ\Desktop\OTL.exe
[2010/08/29 10:30:22 | 001,207,120 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\GraffJ\Desktop\TDSSKiller.exe
[2010/08/28 06:13:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/08/28 06:13:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/21 22:31:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GraffJ\Desktop\GooredFix Backups
[2010/08/21 21:06:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\GraffJ\Recent
[2010/08/21 21:04:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/08/21 07:46:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/08/20 22:48:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/08/20 22:48:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/08/20 17:04:20 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/08/20 16:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/08/20 16:21:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/08/20 15:19:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GraffJ\Application Data\ScanSpyware
[2010/08/20 13:47:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/08/20 13:46:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/08/20 13:46:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/08/20 13:13:13 | 000,037,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gtakoftn.sys
[2010/08/20 12:31:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\GraffJ\Application Data\Malwarebytes
[2010/08/20 12:31:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/20 12:31:50 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/20 12:31:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/20 12:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/20 12:29:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/08/20 12:16:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/20 12:03:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/08/19 10:45:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/08/19 10:45:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/08/18 17:06:27 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
[2010/08/06 21:01:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/02/12 15:56:23 | 000,434,176 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdehcp.dll
[2009/02/12 15:56:22 | 001,200,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeserv.dll
[2009/02/12 15:56:22 | 000,950,272 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeusb1.dll
[2009/02/12 15:56:22 | 000,860,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdecomc.dll
[2009/02/12 15:56:22 | 000,663,552 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdehbn3.dll
[2009/02/12 15:56:22 | 000,647,168 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdepmui.dll
[2009/02/12 15:56:22 | 000,565,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdelmpm.dll
[2009/02/12 15:56:22 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdecomm.dll
[2009/02/12 15:56:22 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeinpa.dll
[2009/02/12 15:56:22 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeiesc.dll
[2009/02/12 15:56:22 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdeprox.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/29 11:18:58 | 000,534,162 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/29 11:18:58 | 000,450,166 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/29 11:18:58 | 000,074,788 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/29 11:18:31 | 000,057,118 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/08/29 11:17:48 | 000,035,537 | ---- | M] () -- C:\WINDOWS\System32\nvwsapps.xml
[2010/08/29 10:34:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/29 10:34:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/29 10:34:42 | 3745,423,360 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/29 10:34:04 | 008,650,752 | -H-- | M] () -- C:\Documents and Settings\GraffJ\NTUSER.DAT
[2010/08/29 10:34:04 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\GraffJ\ntuser.ini
[2010/08/29 10:32:29 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\GraffJ\Desktop\OTL.exe
[2010/08/29 10:30:08 | 001,142,139 | ---- | M] () -- C:\Documents and Settings\GraffJ\Desktop\tdsskiller.zip
[2010/08/28 13:36:50 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\GraffJ\Desktop\Microsoft Office Outlook 2007.lnk
[2010/08/28 09:30:06 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\GraffJ\Local Settings\Application Data\PUTTY.RND
[2010/08/27 23:56:10 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\GraffJ\PUTTY.RND
[2010/08/27 08:54:52 | 001,207,120 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\GraffJ\Desktop\TDSSKiller.exe
[2010/08/26 15:29:57 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\GraffJ\Desktop\dds.scr
[2010/08/26 08:42:19 | 000,001,505 | ---- | M] () -- C:\Documents and Settings\GraffJ\.recently-used.xbel
[2010/08/25 10:50:22 | 000,010,272 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/08/22 09:09:15 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\GraffJ\defogger_reenable
[2010/08/20 22:48:15 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/20 16:55:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/08/20 14:03:54 | 000,000,744 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/08/20 13:58:51 | 000,028,672 | -H-- | M] () -- C:\SZKGFS.dat
[2010/08/20 13:13:13 | 000,037,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gtakoftn.sys
[2010/08/15 21:36:43 | 000,139,648 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/13 17:30:55 | 000,001,724 | -H-- | M] () -- C:\Documents and Settings\GraffJ\My Documents\Default.rdp
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/29 10:29:50 | 001,142,139 | ---- | C] () -- C:\Documents and Settings\GraffJ\Desktop\tdsskiller.zip
[2010/08/26 15:35:45 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\GraffJ\Desktop\gmer.exe
[2010/08/26 15:29:43 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\GraffJ\Desktop\dds.scr
[2010/08/26 08:42:19 | 000,001,505 | ---- | C] () -- C:\Documents and Settings\GraffJ\.recently-used.xbel
[2010/08/22 09:09:15 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\GraffJ\defogger_reenable
[2010/08/20 22:48:15 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/20 14:03:46 | 000,000,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/08/20 13:58:51 | 000,028,672 | -H-- | C] () -- C:\SZKGFS.dat
[2010/08/13 14:01:38 | 000,001,724 | -H-- | C] () -- C:\Documents and Settings\GraffJ\My Documents\Default.rdp
[2010/04/27 23:07:16 | 000,010,440 | ---- | C] () -- C:\WINDOWS\System32\ptumwcit.dll
[2009/10/20 14:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/03/23 12:24:42 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\GraffJ\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/12 15:57:05 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdevs.dll
[2009/02/12 15:57:04 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdecoin.dll
[2009/02/12 15:56:46 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxdecaps.dll
[2009/02/12 15:56:45 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdedrs.dll
[2009/02/12 15:56:45 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdecnv4.dll
[2009/02/12 15:56:23 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdeinst.dll
[2009/02/12 15:56:22 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdegrd.dll
[2009/01/27 15:03:00 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\GraffJ\Local Settings\Application Data\PUTTY.RND
[2009/01/27 12:24:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\GraffJ\Local Settings\Application Data\WavXMapDrive.bat
[2008/12/23 20:36:44 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/23 20:36:44 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/12/23 20:36:44 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/12/23 20:36:44 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/12/23 20:36:31 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2008/12/23 20:35:36 | 000,001,157 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/12/23 19:19:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/12/23 19:14:47 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/12/23 19:13:17 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/12/23 19:00:38 | 000,157,008 | ---- | C] () -- C:\WINDOWS\System32\brcmbsp.dll
[2008/12/23 18:59:19 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2008/08/15 10:46:30 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/04/25 17:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/02/07 09:21:48 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\aicext.dll
[2006/06/30 14:58:44 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2006/06/30 14:58:44 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2005/02/17 14:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 14:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 15:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >




#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:14 PM

Posted 29 August 2010 - 11:06 AM

Hi JonG10,




Step1

  1. Please start OTL on your desktop.
  2. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    CODE
    :OTL
    O1 - Hosts: 172.20.1.200 infra.bka-inc.com
    O1 - Hosts: 172.20.1.201 database.dev.bka-inc.com
    O1 - Hosts: 172.20.1.202 application.dev.bka-inc.com
    O1 - Hosts: 172.20.1.203 reports.dev.bka-inc.com
    O1 - Hosts: 172.20.1.204 database.test.bka-inc.com
    O1 - Hosts: 172.20.1.205 application.test.bka-inc.com
    O1 - Hosts: 172.20.1.206 reports.test.bka-inc.com
    O1 - Hosts: 70.183.189.124 aragorn.bka-inc.com
    O1 - Hosts: 10.96.0.170 db1
    O1 - Hosts: 10.96.0.171 inf0
    O1 - Hosts: 10.96.0.172 app1
    O1 - Hosts: 10.96.0.173 inf1
    O1 - Hosts: 10.96.0.174 app2
    O1 - Hosts: 10.96.0.175 inf2
    O1 - Hosts: 10.96.0.176 app3
    O1 - Hosts: 209.132.225.87 www.quarantine2019.com
    O1 - Hosts: 209.132.225.87 quarantine2019.com
    O4 - HKLM..\Run: [] File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O37 - HKU\S-1-5-21-3135820999-2296613693-2850537065-1008\...exe [@ = exefile] -- Reg Error: Key error. File not found

    :Commands
    [resethosts]
    [emptytemp]
    [start explorer]
    [Reboot]
  3. Click Run Fix button on the top.
  4. Click OK and let it run unhindered.
  5. OTL will ask to reboot the machine. Please OK the prompt.
  6. A report will open. Copy and Paste that report in your next reply.


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post back:


1.OTL delete log
2.ComboFix log

Tell me if you have any remaining issues on your pc.

#7 JonG10

JonG10
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 29 August 2010 - 02:01 PM

sundavis,

Thanks! My laptop is behaving much better now! I haven't seen a search redirect or spontaneous pop-up in a while. My logs from OTL and ComboFix are below.


OTL delete log:


All processes killed
========== OTL ==========
172.20.1.200 infra.bka-inc.com removed from HOSTS file successfully
172.20.1.201 database.dev.bka-inc.com removed from HOSTS file successfully
172.20.1.202 application.dev.bka-inc.com removed from HOSTS file successfully
172.20.1.203 reports.dev.bka-inc.com removed from HOSTS file successfully
172.20.1.204 database.test.bka-inc.com removed from HOSTS file successfully
172.20.1.205 application.test.bka-inc.com removed from HOSTS file successfully
172.20.1.206 reports.test.bka-inc.com removed from HOSTS file successfully
70.183.189.124 aragorn.bka-inc.com removed from HOSTS file successfully
10.96.0.170 db1 removed from HOSTS file successfully
10.96.0.171 inf0 removed from HOSTS file successfully
10.96.0.172 app1 removed from HOSTS file successfully
10.96.0.173 inf1 removed from HOSTS file successfully
10.96.0.174 app2 removed from HOSTS file successfully
10.96.0.175 inf2 removed from HOSTS file successfully
10.96.0.176 app3 removed from HOSTS file successfully
209.132.225.87 www.quarantine2019.com removed from HOSTS file successfully
209.132.225.87 quarantine2019.com removed from HOSTS file successfully
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_USERS\S-1-5-21-3135820999-2296613693-2850537065-1008_Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3135820999-2296613693-2850537065-1008_Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: GraffJ
->Temp folder emptied: 4376453 bytes
->Temporary Internet Files folder emptied: 923684 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 90735712 bytes
->Flash cache emptied: 820933 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 213394 bytes
->Flash cache emptied: 600 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2052245 bytes
->Java cache emptied: 9771 bytes
->Flash cache emptied: 7591 bytes

User: Temp User
->Temp folder emptied: 145184 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 405 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 98304 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 49152 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1245470 bytes

Total Files Cleaned = 96.00 mb


OTL by OldTimer - Version 3.2.11.0 log created on 08292010_143032

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...





Combofix log:

ComboFix 10-08-28.02 - GraffJ 08/29/2010 14:43:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3120 [GMT -4:00]
Running from: c:\documents and settings\GraffJ\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-29 18:33 . 2010-08-29 18:33 1791 ----a-w- c:\documents and settings\GraffJ\Application Data\.purple\certificates\x509\tls_peers\bos.oscar.aol.com
2010-08-29 18:32 . 2010-08-29 18:32 1089 ----a-w- c:\documents and settings\GraffJ\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2010-08-29 18:32 . 2010-08-29 18:32 1505 ----a-w- c:\documents and settings\GraffJ\Application Data\.purple\certificates\x509\tls_peers\slogin.oscar.aol.com
2010-08-29 18:30 . 2010-08-29 18:30 -------- d-----w- C:\_OTL
2010-08-28 07:42 . 2010-08-28 07:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-22 01:04 . 2010-08-22 01:04 -------- d-----w- c:\program files\CCleaner
2010-08-21 11:46 . 2010-08-21 12:06 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-21 02:48 . 2010-08-21 02:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-21 02:48 . 2010-08-21 02:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-20 21:04 . 2010-08-20 21:04 -------- d-----w- c:\program files\ESET
2010-08-20 20:21 . 2010-08-20 20:21 -------- d-----w- c:\program files\Alwil Software
2010-08-20 20:21 . 2010-08-20 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-20 19:19 . 2010-08-20 19:26 -------- d-----w- c:\documents and settings\GraffJ\Application Data\ScanSpyware
2010-08-20 17:58 . 2010-08-20 17:58 28672 ---ha-w- C:\SZKGFS.dat
2010-08-20 17:47 . 2010-08-20 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-08-20 17:47 . 2010-08-20 17:47 262144 ----a-w- c:\documents and settings\ntuser.dat
2010-08-20 17:46 . 2010-08-20 17:46 -------- d-----w- c:\program files\Common Files\iS3
2010-08-20 17:46 . 2010-08-20 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-20 17:13 . 2010-08-20 17:13 37248 ----a-w- c:\windows\system32\drivers\gtakoftn.sys
2010-08-20 16:31 . 2010-08-20 16:31 -------- d-----w- c:\documents and settings\GraffJ\Application Data\Malwarebytes
2010-08-20 16:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-20 16:31 . 2010-08-20 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 16:31 . 2010-08-20 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-20 16:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-20 16:29 . 2010-08-20 16:29 388096 ----a-r- c:\documents and settings\GraffJ\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-20 16:29 . 2010-08-20 16:29 -------- d-----w- c:\program files\Trend Micro
2010-08-20 16:16 . 2010-08-20 18:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-20 16:03 . 2010-08-20 18:01 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-18 21:06 . 2010-08-18 21:06 -------- d-----w- c:\program files\Winamp Detect
2010-08-07 03:25 . 2010-08-07 03:25 503808 ----a-w- c:\documents and settings\GraffJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61b1f751-n\msvcp71.dll
2010-08-07 03:25 . 2010-08-07 03:25 499712 ----a-w- c:\documents and settings\GraffJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61b1f751-n\jmc.dll
2010-08-07 03:25 . 2010-08-07 03:25 348160 ----a-w- c:\documents and settings\GraffJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61b1f751-n\msvcr71.dll
2010-08-07 03:24 . 2010-08-07 03:24 61440 ----a-w- c:\documents and settings\GraffJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-260ea45f-n\decora-sse.dll
2010-08-07 03:24 . 2010-08-07 03:24 12800 ----a-w- c:\documents and settings\GraffJ\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-260ea45f-n\decora-d3d.dll
2010-08-07 01:01 . 2010-08-07 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-29 18:45 . 2009-02-06 03:49 -------- d-----w- c:\documents and settings\GraffJ\Application Data\.purple
2010-08-29 14:34 . 2008-04-14 00:06 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-08-26 16:29 . 2009-02-06 03:10 -------- d-----w- c:\documents and settings\GraffJ\Application Data\SQL Developer
2010-08-26 12:42 . 2009-02-06 03:50 -------- d-----w- c:\documents and settings\GraffJ\Application Data\gtk-2.0
2010-08-26 12:41 . 2009-08-03 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\LxThumbs
2010-08-24 12:09 . 2009-01-27 18:07 -------- d-----w- c:\documents and settings\GraffJ\Application Data\U3
2010-08-23 13:10 . 2009-02-10 13:27 -------- d-----w- c:\program files\Windows Grep
2010-08-20 18:03 . 2010-08-20 18:03 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-19 02:17 . 2009-09-10 02:17 -------- d-----w- c:\documents and settings\GraffJ\Application Data\Winamp
2010-08-18 21:46 . 2009-09-10 02:17 -------- d-----w- c:\program files\Winamp
2010-08-18 12:27 . 2010-05-21 10:46 -------- d-----w- c:\program files\Pidgin
2010-08-13 02:09 . 2009-01-16 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-25 16:16 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2010-08-10 49321]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-09-04 1343488]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-09-30 298536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-21 13537280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-2-7 128552]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-11-11 950048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2008-11-25 16:32 109568 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2008-09-16 13:59 293888 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\WatchGuard\\Mobile VPN\\NCPMON.exe"=

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/13/2008 6:28 PM 198184]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 7:28 PM 406808]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 11:41 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 11:41 PM 21352]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [11/11/2008 5:00 PM 451872]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 ncpclcfg;ncpclcfg;c:\program files\WatchGuard\Mobile VPN\ncpclcfg.exe [3/27/2010 10:14 PM 86016]
R2 ncprwsnt;ncprwsnt;c:\program files\WatchGuard\Mobile VPN\NCPRWSNT.EXE [3/27/2010 10:14 PM 1065480]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [12/23/2008 8:36 PM 112128]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [12/23/2008 8:36 PM 32808]
R3 NcpFiltMP;NcpFiltMP;c:\windows\system32\drivers\ncpvaxp.sys [3/27/2010 10:14 PM 79528]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [2/12/2009 3:57 PM 99248]
S2 NcpSec;NcpSec;c:\program files\WatchGuard\Mobile VPN\NCPSEC.EXE [3/27/2010 10:14 PM 32768]
S2 rwsrsu;RwsRsu;c:\program files\WatchGuard\Mobile VPN\rwsrsu.exe [3/27/2010 10:14 PM 850432]
S3 GR433S;GR433S;c:\windows\system32\drivers\GR433s.sys [9/8/2009 10:58 AM 66896]
S3 NcpFilt;Ncp Filter Service;c:\windows\system32\drivers\ncpvaxp.sys [3/27/2010 10:14 PM 79528]
S3 ncpvaxp;NCP Secure Client Virtual Adapter Driver;c:\windows\system32\drivers\ncpvaxp.sys [3/27/2010 10:14 PM 79528]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [4/27/2010 11:07 PM 54544]
S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [4/27/2010 11:07 PM 160400]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [4/27/2010 11:07 PM 12048]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [4/27/2010 11:07 PM 160400]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [4/27/2010 11:07 PM 115216]
S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [4/27/2010 11:07 PM 160400]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [4/27/2010 11:07 PM 160400]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [1/16/2009 3:03 PM 140208]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3081224
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\GraffJ\Application Data\Mozilla\Firefox\Profiles\6n7p0u1w.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.txt=Notepad++_file
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\GraffJ\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 14:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1832)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\accrypto.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\windows\system32\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

- - - - - - - > 'lsass.exe'(1888)
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\program files\TortoiseCVS\TortoiseShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-08-29 14:47:57
ComboFix-quarantined-files.txt 2010-08-29 18:47

Pre-Run: 130,353,192,960 bytes free
Post-Run: 130,304,856,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 90BE53DA7EA68CFA5795783DA582BA46


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:14 PM

Posted 29 August 2010 - 02:12 PM

Hi JonG10,



QUOTE
I haven't seen a search redirect or spontaneous pop-up in a while

That sounds good. thumbup2.gif we need to scan the remnants with Kas Online scanner. It will take some time to run the full course. Please be patient and do the following:

Step1

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step2

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the log in your next reply:

1.Kas Online Scan Report

Let me know if you still have any remaining concerns on your pc.

#9 JonG10

JonG10
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 29 August 2010 - 08:36 PM

I ran ATF; the Kaspersky scan turned up clean. Still no sign of search hijacking or pop-ups; everything is looking good! thumbup.gif
I really appreciate the help, thank you so much.

Edit: One problem I am having is that I need to put some server IP addresses back into my hosts file. This was easy enough but I don't seem to be able to get windows to 'see' the host file edits.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 29, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: 29 August 2010 18:44:42
Records in database: 4167612
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 130912
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:25:04

No threats found. Scanned area is clean.

Selected area has been scanned.

Edited by JonG10, 29 August 2010 - 09:09 PM.


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:14 PM

Posted 30 August 2010 - 12:08 AM

Hi JonG10,



QUOTE
I don't seem to be able to get windows to 'see' the host file edits

The esay way to see the hosts file is to launch your HijackThis>Do a system scan only>configure>Misc tools>Open hosts file manager>open in notepad. Now you can edit your hosts file.

Other than that, Your system appears to be clean now. thumbup.gif If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Start OTL from your desktop.
  1. Double click OTL and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!


#11 JonG10

JonG10
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 30 August 2010 - 08:57 AM

Cleanup is all done now. The hosts issue is solved as well. Everything is looking good.
Thanks again for your help!

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:14 PM

Posted 02 September 2010 - 01:00 AM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users