Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS utility failed


  • This topic is locked This topic is locked
13 replies to this topic

#1 LenB

LenB

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 02 November 2010 - 09:54 AM

Working through Prep Guide Steps. My issues are browser re-directs.

The DDS Utility seemed to be running normaly and when it seemed to be near the end of process, the screen went black and the computer restarted, so no log file. Tried 2 more times, same result.

My GMER log is pasted below and attached. What's my next step?

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-11-02 09:47:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ACCT1\LOCALS~1\Temp\fftdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

LOCKcode˙˙˙˙USRoslbAentry point in "LOCKcode˙˙˙˙USRoslbAentry point in "" section [0xF79B5320] C:\WINDOWS\System32\DRIVERS\USRoslbA.sys entry point in "LOCKcode˙˙˙˙USRoslbAentry point in "" section [0xF79B5320]
.rsrc C:\WINDOWS\system32\drivers\InCDPass.sys entry point in ".rsrc" section [0xB9D8FF94]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device \FileSystem\Fastfat \FatCdrom AB038D20

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 vsp.sys (Volume Snapshot Provider Driver/VERITAS Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A6ADAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A6ADAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A6ADAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A6ADAEA
Device 8A6ADAEA
Device atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\USBSTOR -> DriverStartIo \Device\0000007e F77B8F26
Device \Driver\USBSTOR \Device\0000007e F77BC218
Device \Driver\USBSTOR -> DriverStartIo \Device\0000007f F77B8F26
Device \Driver\USBSTOR \Device\0000007f F77BC218
Device \FileSystem\Fastfat \Fat AB038D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-00DKA0______________________77.07W77#4457572d414d4d48303139323533_030_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\Tx4ole.ocx 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\Tx32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\txtls32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\wndtls32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\txobj32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\ic32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\ic32.ini 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_bmp32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_tif32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_wmf32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_jpg32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_png32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_rtf32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_htm32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAX2KSE\tx_word.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\SQL\Resources\1033\sqlsvc.rll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\SQL\w95scm.DLL 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\SQL\sqlsvc.DLL 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\SQL\sqlresld.DLL 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\SQL\Resources\1033\Sqldmo.rll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\SQL\SQLDMO.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\Tx4ole.ocx 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\Tx32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\txtls32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\wndtls32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\txobj32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\ic32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\ic32.ini 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_bmp32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_tif32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_wmf32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_jpg32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_png32.flt 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_rtf32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_htm32.dll 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\MC\xb2 Software\BIDFAXPro\tx_word.dll 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 78165135 (+224): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File

Attached Files

  • Attached File  ARK.txt   19.19KB   1 downloads


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 AM

Posted 02 November 2010 - 03:18 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 LenB

LenB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 02 November 2010 - 04:25 PM

Thanks for the reply. I noticed I was also experiencing DNS change issues, and once I made some corrections I could then update MBAM and have been able to succesfully run the updated version. It discovered and removed Rootkit.tdss and I seem to be back to normal.

That log is shown below. Let me know if you think we should continue with combo.fix or wait and see how things go.

Thanks again!



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5021

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/2/2010 1:50:18 PM
mbam-log-2010-11-02 (13-50-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 403600
Time elapsed: 2 hour(s), 12 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F655F4F6-1396-47C3-96CB-539AE0F654AE}\RP2171\A0209613.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Acct1\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 AM

Posted 02 November 2010 - 05:44 PM

Personally I would run combofix.

So long, and thanks for all the fish.

 

 


#5 LenB

LenB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 02 November 2010 - 05:48 PM

Will do. Already experiencing some browser redirects again.

#6 LenB

LenB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 03 November 2010 - 01:25 PM

Ran CF....System seems to be running fine for now....but has only been an hour or so.

CF gave alert that found Rootkit-tdl3 and to be patient. Then asked to reboot, after which it resumed and finished.

Tried to paste the log but received message that it was too long, so I attached the file. Let me know if I should try another way.

Thanks.

ComboFix 10-11-02.06 - acct1 11/03/2010 12:10:52.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2032 [GMT -4:00]
Running from: c:\documents and settings\ACCT1\Desktop\ComboFixNew.exe
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {F65A9E8C-56B0-41A1-9422-383776AA3C23}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\olepro32.dll

Infected copy of c:\windows\system32\drivers\InCDPass.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
.

2010-11-01 16:29 . 2010-11-01 16:29 -------- d-----w- c:\documents and settings\ACCT1\Application Data\Malwarebytes
2010-11-01 15:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-01 15:54 . 2010-11-01 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-01 15:54 . 2010-11-01 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-01 15:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-30 22:05 . 2010-10-30 22:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-10-29 12:44 . 2010-10-29 12:43 389120 ----a-w- c:\windows\system32\CF14761.exe
2010-10-21 13:10 . 2010-10-21 13:10 -------- d-----w- c:\documents and settings\ACCT1\Application Data\azzCardfile
2010-10-21 13:10 . 2010-10-21 13:10 -------- d-----w- c:\program files\azzCardfile
2010-10-14 17:43 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 17:43 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 17:42 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 17:47 . 2010-10-12 17:47 -------- d-----w- c:\documents and settings\Acct1\WebEx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2002-08-29 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-08-29 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-08-29 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-08-29 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-13 12:07 . 2010-09-13 12:07 1409 ----a-w- c:\windows\QTFont.for
2010-09-10 05:58 . 2005-02-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2002-08-29 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2002-08-29 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2002-08-29 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2002-08-29 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-07 18:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-04-14 18:40 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-18 68856]
"Zinio DLM"="c:\program files\Zinio\ZinioDeliveryManager.exe" [2006-09-22 1003590]
"TaskScheduler"="c:\prowin09\32bit\tasksch.exe" [2010-09-14 460120]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProTaskScheduler"="c:\prowin04\32bit\tasksch.exe" [2005-02-12 643072]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2003-05-04 57393]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2003-05-04 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-20 148888]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2010-07-29 959824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-05-07 417792]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2009-11-02 222736]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Acct1\Start Menu\Programs\Startup\
Launch Internet Explorer Browser.lnk - c:\program files\Internet Explorer\iexplore.exe [2003-9-1 638816]
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2004-11-26 794624]
Sprint media monitor.lnk - c:\program files\Sprint Instinct Applications\MEMonitor.exe [2008-12-1 1258840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CleverKeys.lnk - c:\program files\Lexico\CleverKeys\CK.exe [2008-3-12 561664]
Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\Bin\w3dbsmgr.exe [2005-10-19 102450]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2006-6-20 5976064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58664112-691126847-3236641149-1142\Scripts\Logon\0\0]
"Script"=\\3dky.local\SysVol\3dky.local\scripts\Default.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58664112-691126847-3236641149-500\Scripts\Logon\0\0]
"Script"=\\3dky.local\SysVol\3dky.local\scripts\Default.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1234800034\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-11-10 20:19 1051648 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 21:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QMusic]
2003-08-22 14:12 110592 ----a-w- c:\program files\BenQ\QMusic2\QMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-05-07 15:49 417792 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-06-24 02:12 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-06-25 05:18 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-01 23:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\siService.exe]
2004-01-26 16:57 204800 ----a-w- c:\program files\Sunbelt Software\iHateSpam\siService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2006-09-22 16:47 1003590 ----a-w- c:\program files\Zinio\ZinioDeliveryManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"LightScribeService"=2 (0x2)
"InCDsrv"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\PVSW\\Bin\\w3dbsmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Axis Communications\\AXIS IP Utility\\IPUtility.exe"=
"c:\\Program Files\\Axis Communications\\AXIS Camera Management\\AXISCameraManagement.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"44261:TCP"= 44261:TCP:Trend Micro Client/Server Security Agent Listener

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [6/3/2003 4:52 PM 123957]
R0 VSP;Volume Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [9/5/2003 12:36 PM 50592]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [6/3/2003 4:52 PM 46900]
R2 MSSQL$JJKA_KDS;MSSQL$JJKA_KDS;c:\program files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe -sJJKA_KDS --> c:\program files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe -sJJKA_KDS [?]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\TIMBERLINE OFFICE\Shared\Sage.ServiceHost.Host.exe [1/19/2007 4:04 PM 81920]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [6/17/2009 1:01 PM 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [6/17/2009 1:01 PM 36368]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [6/17/2009 1:01 PM 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2010 3:34 PM 136176]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [2/2/2004 3:14 PM 72704]
S3 SQLAgent$JJKA_KDS;SQLAgent$JJKA_KDS;c:\program files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlagent.EXE -i JJKA_KDS --> c:\program files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlagent.EXE -i JJKA_KDS [?]
S3 viz2000;Visioneer USB Kernel V2.0;c:\windows\system32\drivers\usbscan.sys [4/20/2005 8:11 AM 15104]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 19:34]

2010-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-06 19:34]

2010-11-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-10-26 c:\windows\Tasks\test01a.job
- c:\windows\system32\ntbackup.exe [2002-08-29 09:42]

2010-11-03 c:\windows\Tasks\Wed Test.job
- c:\windows\system32\ntbackup.exe [2002-08-29 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: axiscam.net\paradiseview
Trusted Zone: construction .com\sso
Trusted Zone: construction.com
Trusted Zone: construction.com\mhc.cn
Trusted Zone: construction.com\network
Trusted Zone: jjg.com\web-exp
TCP: {82D25B55-810A-46D0-BAAE-48E42AF4A3D6} = 192.168.1.90,4.2.2.2
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://65.13.81.233/kxhcm10.ocx
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://755vicki.axiscam.net:4080/activex/decoder/mpeg4_dec.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.166.170.11:95/RemoteWeb.cab
DPF: {5CB26FF7-663A-471F-BDA2-15FE6CCA1B6F} - hxxp://demo-ip-sd10x.ipcam4u.net:9007/admin/AproDx9.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.166.170.11:95/VideoViewer.cab
DPF: {8AF9A654-6644-46AD-A344-34B71839659E} - hxxp://www.tutorials.com/plugins/Plugin0501.0104/fixst.cab
DPF: {98BC86B6-F34A-4BCB-8F82-489C5F59EC2B} - hxxp://microsoft.granitepillar.com/vlattend/shared/VMRCActiveXClient.cab
DPF: {994CF098-73ED-4C83-B227-B15F2A8D6177} - hxxps://www.d-life.com/D-Life//DLCUALibrary.cab
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://paradisecondos.dipmap.com/cab/OCXChecker_8000.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://lopes.armstrong.com/ib/databases/actimage40803.cab
DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://755vicki.axiscam.net:4080/activex/decoder/aac_dec.cab
DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://192.168.1.60:4080/activex/decoder/intel_mpeg4_dec.cab
DPF: {C60C276B-0F00-44D8-8D68-7B326A35401E} - hxxp://network.construction.com/ActiveX/FileDownloader2.cab
DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} - hxxp://tcappp.ky.gov/forms90/jinitiator/jinit.exe
DPF: {CCBDF033-DD85-45FD-AE68-FBC4A7C7C154} - hxxp://viewer.network.construction.com/IGC/BravaClientX.cab
DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://paradisecondos.dipmap.com/cab/DownloadFile_8000.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://herringtonview1.axiscam.net:4080/activex/AMC.cab
DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://71.160.124.238/user/TSBnwCam.CAB
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\progra~1\MALWAR~1\MBAM.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ProTaskScheduler = c:\prowin04\32bit\tasksch.exe???:?I?"???????t????????????XF????? ??|`??|????]??|?2C??????????2C?????`???????(tH?|????????????4C??*G??????2C?U?E?P?????A?P???????????????`????????bF??????9A???????A?|???/dF??????N@???F??>???????????>????F? ?????????????????F??%?
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TaskScheduler = c:\prowin09\32bit\tasksch.exe??????????????xp??L?#?x????P??????????x????????<???????p??L????P??????L????m???????4??????xn??? ????u??l???8????`C?????]?@??u??l???l???X?????C??????nA??????u??????l????q???????*C??????K@???C?J?:?&???!???H?:???C???:???????????:???C

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-03 12:24:24
ComboFix-quarantined-files.txt 2010-11-03 16:24
ComboFix2.txt 2010-10-29 15:13
ComboFix3.txt 2009-07-08 14:53
ComboFix4.txt 2009-05-07 22:25

Pre-Run: 1,327,902,720 bytes free
Post-Run: 1,300,242,432 bytes free

- - End Of File - - 16187FE3CCC30B70DA16FA3745575FB2

Attached Files


Edited by Noviciate, 03 November 2010 - 03:40 PM.


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 AM

Posted 03 November 2010 - 03:43 PM

Good evening. :)

I've edited in part of the CF log in your post above to make it easier to reference. Will you run DDS and let me have both the DDS log and attach.txt - copy and paste the first and attach the second, thanks.

So long, and thanks for all the fish.

 

 


#8 LenB

LenB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 03 November 2010 - 04:17 PM

Hello. Really appreciate your help!

I downloaded DDS and started it after disabling my AV. It ran for awhile, then screen went black and computer restarted.

When I logged in, I received notification in sys tray that space on hard drive was low, which soon went away. I checked and I have 1.3GB free on 37GB drive.

Also received ms-windows message during desktop load that the system had recovered from serious error and a log was available, but did not go there yet.

No DDS logs were generated that I know of.

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 AM

Posted 03 November 2010 - 05:54 PM

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

The size of your hard drive may mean that backing up any files that you don't use to either a second external hard drive or disks is going to be necessary to free up some space.

So long, and thanks for all the fish.

 

 


#10 LenB

LenB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 04 November 2010 - 04:57 PM

Sorry for the delay. Been out of the office most of the day.

Deleted several programs and files...now have 3GB free. Can do more if needed.

My AV software (Trend Micro small business) blocked the TFC link. I bypassed the warning and downloaded but then TM sounded more alarms about the file on the desktop and indicated a trojan in the file. I was concerned about proceeding.

Did run chkdsk and no issues.

Will run defrag once decide on TFC. Please advise.

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 AM

Posted 04 November 2010 - 06:15 PM

Been out of the office most of the day.


My AV software (Trend Micro small business)

I take it this is a business machine - yes?

So long, and thanks for all the fish.

 

 


#12 LenB

LenB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 05 November 2010 - 06:51 AM

Yes, a small office. Problem?

#13 LenB

LenB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 05 November 2010 - 09:36 AM

Not sure if you can help but defragged C drive and DDS ran.

DDS Log pasted below....other log attached.


DDS (Ver_10-11-03.01) - NTFSx86
Run by acct1 at 7:53:48.33 on Fri 11/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2098 [GMT -4:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {F65A9E8C-56B0-41A1-9422-383776AA3C23}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexico\CleverKeys\CK.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\Documents and Settings\ACCT1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Zinio DLM] c:\program files\zinio\ZinioDeliveryManager.exe /autostart
uRun: [TaskScheduler] c:\prowin09\32bit\tasksch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ProTaskScheduler] c:\prowin04\32bit\tasksch.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\acct1\startm~1\programs\startup\launch~1.lnk - c:\program files\internet explorer\iexplore.exe
StartupFolder: c:\docume~1\acct1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{90e00409-6000-11d3-8cfe-0150048383c9}\outicon.exe
StartupFolder: c:\docume~1\acct1\startm~1\programs\startup\sprint~1.lnk - c:\program files\sprint instinct applications\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\clever~1.lnk - c:\program files\lexico\cleverkeys\CK.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 8\SnagIt32.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: axiscam.net\paradiseview
Trusted Zone: construction .com\sso
Trusted Zone: construction.com
Trusted Zone: construction.com\mhc.cn
Trusted Zone: construction.com\network
Trusted Zone: jjg.com\web-exp
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://65.13.81.233/kxhcm10.ocx
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://755vicki.axiscam.net:4080/activex/decoder/mpeg4_dec.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.166.170.11:95/RemoteWeb.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/e/37.09/HboD-mApHAo/uploader2.cab
DPF: {5CB26FF7-663A-471F-BDA2-15FE6CCA1B6F} - hxxp://demo-ip-sd10x.ipcam4u.net:9007/admin/AproDx9.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.166.170.11:95/VideoViewer.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124237333244
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://lharper.earthcam.net/viewer/AMC.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8AF9A654-6644-46AD-A344-34B71839659E} - hxxp://www.tutorials.com/plugins/Plugin0501.0104/fixst.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {98BC86B6-F34A-4BCB-8F82-489C5F59EC2B} - hxxp://microsoft.granitepillar.com/vlattend/shared/VMRCActiveXClient.cab
DPF: {994CF098-73ED-4C83-B227-B15F2A8D6177} - hxxps://www.d-life.com/D-Life//DLCUALibrary.cab
DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.6181712963
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://paradisecondos.dipmap.com/cab/OCXChecker_8000.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://lopes.armstrong.com/ib/databases/actimage40803.cab
DPF: {BA7A56EB-D1B9-443B-96E9-086532A378F1} - hxxp://755vicki.axiscam.net:4080/activex/decoder/aac_dec.cab
DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://192.168.1.60:4080/activex/decoder/intel_mpeg4_dec.cab
DPF: {C60C276B-0F00-44D8-8D68-7B326A35401E} - hxxp://network.construction.com/ActiveX/FileDownloader2.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} - hxxp://tcappp.ky.gov/forms90/jinitiator/jinit.exe
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CCBDF033-DD85-45FD-AE68-FBC4A7C7C154} - hxxp://viewer.network.construction.com/IGC/BravaClientX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://paradisecondos.dipmap.com/cab/DownloadFile_8000.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://herringtonview1.axiscam.net:4080/activex/AMC.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://construction.webex.com/client/T23L/training/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} - hxxp://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://71.160.124.238/user/TSBnwCam.CAB
TCP: {82D25B55-810A-46D0-BAAE-48E42AF4A3D6} = 192.168.1.90,4.2.2.2
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-6-3 123957]
R0 VSP;Volume Snapshot Provider;c:\windows\system32\drivers\VSP.SYS [2003-9-5 50592]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-6-3 46900]
R2 MSSQL$JJKA_KDS;MSSQL$JJKA_KDS;c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlservr.exe -sjjka_kds --> c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlservr.exe -sJJKA_KDS [?]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\Sage.ServiceHost.Host.exe [2007-1-19 81920]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-6-17 36368]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-6 136176]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2009-6-17 230928]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2004-2-2 72704]
S3 SQLAgent$JJKA_KDS;SQLAgent$JJKA_KDS;c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlagent.exe -i jjka_kds --> c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlagent.EXE -i JJKA_KDS [?]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2009-6-17 689416]
S3 viz2000;Visioneer USB Kernel V2.0;c:\windows\system32\drivers\usbscan.sys [2005-4-20 15104]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-11-04 22:38:18 -------- d-----w- c:\docume~1\acct1\applic~1\Auslogics
2010-11-04 22:37:39 -------- d-----w- c:\program files\Auslogics
2010-11-03 15:49:21 -------- d-----w- C:\ComboFixNew
2010-11-01 16:29:48 -------- d-----w- c:\docume~1\acct1\applic~1\Malwarebytes
2010-11-01 15:54:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-01 15:54:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-01 15:54:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-01 15:54:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-29 12:47:29 88064 ----a-w- c:\windows\MBR.exe
2010-10-29 12:44:56 389120 ----a-w- c:\windows\system32\CF14761.exe
2010-10-21 13:10:39 -------- d-----w- c:\docume~1\acct1\applic~1\azzCardfile
2010-10-21 13:10:38 -------- d-----w- c:\program files\azzCardfile
2010-10-14 17:43:05 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 17:43:04 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 17:42:57 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 17:47:24 -------- d-----w- c:\documents and settings\acct1\WebEx

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-13 12:07:54 1409 ----a-w- c:\windows\QTFont.for
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 7:56:49.64 ===============

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:45 AM

Posted 05 November 2010 - 03:02 PM

Good evening. :)

There are two "issues" as far as business machines are concerned. The first is the risk associated with data loss. Should something untoward happen to either your machine or another on a network then the cost to the business could be quite large - not something I wish to be involved in.
The second is that there are certain expenses that form part of the day to day running of a business, and computer maintenance is one of them.

The forum has no specific rules regarding working business machines; individuals are free to decide for themselves. While the legal ramifications appear to have been covered by the terms and conditions that you agreed to when you joined the site, although there is still some uncertainty as to which country's laws would take precedence in any legal claim, the idea that a company can make use of free help to reduce costs/increase profits isn't something that I agree with. As such i'm not able to continue with this issue.

You are however free to start a fresh thread in you wish and wait for somebody who is happier working business machines.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users