Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect on Firefox


  • This topic is locked This topic is locked
19 replies to this topic

#1 Nemo Agnomen

Nemo Agnomen

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 27 December 2010 - 05:10 PM

Clicking on links in Google search often redirects to a page other than the one in the link.

OS: 32 bit MS Windows XP 2002 Edition SP3
Affects both Firefox 3.6 and Firefox 4 beta 8.

Things that didn't work:

Malwarebytes quick scan and full scan.
Trend Micro Office Scan
Lavasoft Ad-Aware Free Edition scan.

Disabling all Firefox plugins.
Disabling Javascript in Firefox.

Gooredfix.exe - No "Suspect Goored Entries" section in log.
tdsskiller.exe

Installing and using Firefox 4 beta 8 (per suggestion at hxxp://yangyangli.info/?p=191)

--


DDS (Ver_10-12-12.02) - NTFSx86
Run by DiCarlV at 13:30:52.59 on Mon 12/27/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2368 [GMT -8:00]

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {A384FB96-8BEA-4A63-A99E-12DFEB187A48}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {4C7A6A72-3CBE-4D73-8639-F82AA5378785}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro Personal Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\CA\SC\Csam\SockAdapter\bin\csampmux.exe
C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\casplitegent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\rtaAgent.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\Program Files\Verdiem\SurveyorSD\Bin\SurveyorSD.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Verdiem\SurveyorSD\bin\SurveyorSession.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\shortkey\SHORTKEY.EXE
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\TEMP\AMCAA1.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 8\firefox.exe
C:\Documents and Settings\DiCarlV\My Documents\1ctemp\Defogger.exe
C:\Documents and Settings\DiCarlV\My Documents\1ctemp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://doj-portal.caldoj.net/dsb_global/jwsm/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [CA-Update] j:\caupdate\updt.cmd
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SDJobCheck] "c:\program files\ca\unicenter software delivery\sd\..\bin\triggusr.exe"
mRun: [SurveyorSession] c:\program files\verdiem\surveyorsd\bin\SurveyorSession.exe
mRun: [CA-AMAgent] "c:\program files\ca\unicenter asset management\agents\amagent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [CAF_SystemTray] "c:\program files\ca\dsm\bin\cfSysTray.exe"
mRun: [DsmSxplog] "c:\program files\ca\dsm\bin\sxpstub.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
StartupFolder: c:\docume~1\dicarlv\startm~1\programs\startup\shortk~1.lnk - c:\program files\shortkey\SHORTKEY.EXE
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoDFSTab = 1 (0x1)
uPolicies-explorer: ConfirmFileDelete = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 48 (0x30)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send To CaseMap - c:\windows\system32\lnToCM.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: ca.gov\cadojnet.doj
Trusted Zone: lexis-nexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: lexisone.com
Trusted Zone: lexisultimaterewards.com
Trusted Zone: nexis.com
Trusted Zone: reed-elsevier.com
Trusted Zone: uscourts.gov\ecf.caed
Trusted Zone: uscourts.gov\pacer.psc
Trusted Zone: westlaw.com\print
Trusted Zone: westlaw.com\web2
Trusted Zone: SAAGSFIL
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://saagappsvr01:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://hdcosce01:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {18350088-453C-4407-87ED-361E70FD3285} - hxxps://relativity.encorelegal.com/Relativity/ActiveX/webclientmanager.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://saagappsvr01:4343/officescan/console/html/root/AtxEnc.cab
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxp://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://hdcosce01:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268259637796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268259583188
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secure.doj.ca.gov/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {832BF1DE-74EE-4FA6-AC05-63EA5D374403} - hxxps://relativity.encorelegal.com/Relativity/ActiveX/webclientmanager.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://encorediscovery.webex.com/client/T27LB/webex/ieatgpc.cab
TCP: {896AF44A-C7B4-4138-BBF2-81DBBBEEA4E0} = 167.10.22.58,167.10.54.47,167.10.32.80
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: rcHostExt - c:\program files\ca\dsm\bin\rcLoginExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli PGPpwflt
mASetup: {4F3c187E-1F9F-44d4-BDDC-5704D67829DB} - regedit.exe /s H:\ProLaw_Prefs.reg
mASetup: CaseMap7 - regedit.exe /s "c:\program files\casesoft\casemap 7\UserPref.reg"
mASetup: HD2008UserPrefs - regedit.exe /s "c:\program files\hotdocs 6\UserPref.reg"
mASetup: Lexus JIS v.2 - regedit.exe /s "c:\program files\hotdocs 6\lnjis.reg"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dicarlv\applic~1\mozilla\firefox\profiles\bug0s8xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\dicarlv\application data\mozilla\firefox\profiles\bug0s8xn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - %profile%\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: TinyURL Generator: tinyurl.addon@fast-chat.co.uk - %profile%\extensions\tinyurl.addon@fast-chat.co.uk
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-23 64160]
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-6-14 97792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 wscam6300;wscam6300;c:\windows\system32\drivers\wscam6300.sys [2008-5-31 33792]
R1 wstdi;wstdi;c:\windows\system32\drivers\wstdixp.sys [2008-5-31 35584]
R2 CA-MessageQueuing;CA Message Queuing Server;c:\program files\ca\sc\cam\bin\cam.exe [2009-9-14 181512]
R2 CA-SAM-Pmux;CA Connection Broker;c:\program files\ca\sc\csam\sockadapter\bin\CSAMPmux.exe [2010-3-5 169224]
R2 caf;CA DSM r12 Common Application Framework;c:\program files\ca\dsm\bin\CAF.exe [2010-4-26 208648]
R2 CASPLiteAgent;CA Systems Performance LiteAgent;c:\program files\ca\sc\systems performance liteagent\bin\casplitegent.exe [2009-2-12 135168]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2004-6-8 49152]
R2 SDService;Unicenter Software Delivery;c:\program files\ca\unicenter software delivery\bin\SDServ.exe [2006-2-22 32768]
R2 SurveyorSD;Verdiem Surveyor Client;c:\program files\verdiem\surveyorsd\bin\SurveyorSD.exe [2008-8-1 2200832]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-11-26 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-11-26 36432]
R2 WebsenseDesktopClient;Websense Desktop Client;c:\program files\websense\wdc\WDC.exe [2008-5-31 479232]
R3 rcSmCard;rcSmCard;c:\windows\system32\drivers\rcSmCard.sys [2009-4-17 26128]
R3 rcVidCap;rcVidCap;c:\windows\system32\drivers\rcVidMpt.sys [2009-4-17 9872]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-10-8 335888]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-10-8 488768]
S3 CA_LIC_CLNT;CA-License Client;c:\windows\LIC98RMT.exe [2004-6-8 73728]
S3 CA_LIC_SRVR;CA-License Server;c:\windows\LIC98RMTD.exe [2004-6-8 73728]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2010-10-4 114704]
S3 RCSpyDDML;RCSpyDDML;c:\windows\system32\drivers\RCSpyMP.sys [2005-8-9 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-8 652552]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-12-27 21:06:52 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 8
2010-12-22 18:32:21 49152 ----a-r- c:\docume~1\dicarlv\applic~1\microsoft\installer\{68301107-b9db-4341-bd5f-d87d931e81d8}\Winjis.exe_5EBF60338A25438EA0B38CAFDB8E57D7.exe
2010-12-22 18:32:21 49152 ----a-r- c:\docume~1\dicarlv\applic~1\microsoft\installer\{68301107-b9db-4341-bd5f-d87d931e81d8}\NewShortcut11_6CFF1E7389234A949C07687ECFA1D3A1.exe
2010-12-22 18:32:20 49152 ----a-r- c:\docume~1\dicarlv\applic~1\microsoft\installer\{68301107-b9db-4341-bd5f-d87d931e81d8}\ARPPRODUCTICON.exe
2010-12-09 01:14:59 87552 --sha-r- c:\windows\system32\MSSTDFMTH.dll

==================== Find3M ====================

2010-12-22 20:33:09 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 13:31:38.58 ===============

Attached Files


Edited by Orange Blossom, 30 December 2010 - 12:35 AM.
Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:19 AM

Posted 03 January 2011 - 10:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Nemo Agnomen

Nemo Agnomen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 04 January 2011 - 09:04 PM

Thanks for the help, Shannon. Here's the information I think you asked for.

I have been using computers since they had ferrite core memory, and this is the stubbornest malware I've run across. I look forward to cleaning my computer and learning as much as possible from you in the process.

In case you're curious, there's more about me at http://www.kdnuggets.com/news/2007/n09/7i.html

Vincent

--

DDS (Ver_10-12-12.02) - NTFSx86
Run by DiCarlV at 17:43:20.81 on Tue 01/04/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2520 [GMT -8:00]

AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {A384FB96-8BEA-4A63-A99E-12DFEB187A48}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {4C7A6A72-3CBE-4D73-8639-F82AA5378785}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*
FW: Trend Micro Personal Firewall *Enabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\CA\SC\Csam\SockAdapter\bin\csampmux.exe
C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\casplitegent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\rtaAgent.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\Program Files\Verdiem\SurveyorSD\Bin\SurveyorSD.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Verdiem\SurveyorSD\bin\SurveyorSession.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\shortkey\SHORTKEY.EXE
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\TEMP\OF5039.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 8\firefox.exe
C:\Documents and Settings\DiCarlV\My Documents\1ctemp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://doj-portal.caldoj.net/dsb_global/jwsm/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [CA-Update] j:\caupdate\updt.cmd
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SDJobCheck] "c:\program files\ca\unicenter software delivery\sd\..\bin\triggusr.exe"
mRun: [SurveyorSession] c:\program files\verdiem\surveyorsd\bin\SurveyorSession.exe
mRun: [CA-AMAgent] "c:\program files\ca\unicenter asset management\agents\amagent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [CAF_SystemTray] "c:\program files\ca\dsm\bin\cfSysTray.exe"
mRun: [DsmSxplog] "c:\program files\ca\dsm\bin\sxpstub.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
StartupFolder: c:\docume~1\dicarlv\startm~1\programs\startup\shortk~1.lnk - c:\program files\shortkey\SHORTKEY.EXE
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoDFSTab = 1 (0x1)
uPolicies-explorer: ConfirmFileDelete = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 48 (0x30)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send To CaseMap - c:\windows\system32\lnToCM.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: ca.gov\cadojnet.doj
Trusted Zone: lexis-nexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: lexisone.com
Trusted Zone: lexisultimaterewards.com
Trusted Zone: nexis.com
Trusted Zone: reed-elsevier.com
Trusted Zone: uscourts.gov\ecf.caed
Trusted Zone: uscourts.gov\pacer.psc
Trusted Zone: westlaw.com\print
Trusted Zone: westlaw.com\web2
Trusted Zone: SAAGSFIL
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://saagappsvr01:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://hdcosce01:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {18350088-453C-4407-87ED-361E70FD3285} - hxxps://relativity.encorelegal.com/Relativity/ActiveX/webclientmanager.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://saagappsvr01:4343/officescan/console/html/root/AtxEnc.cab
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxp://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://hdcosce01:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268259637796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268259583188
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://secure.doj.ca.gov/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {832BF1DE-74EE-4FA6-AC05-63EA5D374403} - hxxps://relativity.encorelegal.com/Relativity/ActiveX/webclientmanager.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://encorediscovery.webex.com/client/T27LB/webex/ieatgpc.cab
TCP: {896AF44A-C7B4-4138-BBF2-81DBBBEEA4E0} = 167.10.22.58,167.10.54.47,167.10.32.80
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: rcHostExt - c:\program files\ca\dsm\bin\rcLoginExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli PGPpwflt
mASetup: {4F3c187E-1F9F-44d4-BDDC-5704D67829DB} - regedit.exe /s H:\ProLaw_Prefs.reg
mASetup: CaseMap7 - regedit.exe /s "c:\program files\casesoft\casemap 7\UserPref.reg"
mASetup: HD2008UserPrefs - regedit.exe /s "c:\program files\hotdocs 6\UserPref.reg"
mASetup: Lexus JIS v.2 - regedit.exe /s "c:\program files\hotdocs 6\lnjis.reg"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dicarlv\applic~1\mozilla\firefox\profiles\bug0s8xn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\dicarlv\application

data\mozilla\firefox\profiles\bug0s8xn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp

.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta

8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - %profile%\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

%profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: TinyURL Generator: tinyurl.addon@fast-chat.co.uk - %profile%\extensions\tinyurl.addon@fast-chat.co.uk
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-23 64160]
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-6-14 97792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 wscam6300;wscam6300;c:\windows\system32\drivers\wscam6300.sys [2008-5-31 33792]
R1 wstdi;wstdi;c:\windows\system32\drivers\wstdixp.sys [2008-5-31 35584]
R2 CA-MessageQueuing;CA Message Queuing Server;c:\program files\ca\sc\cam\bin\cam.exe [2009-9-14 181512]
R2 CA-SAM-Pmux;CA Connection Broker;c:\program files\ca\sc\csam\sockadapter\bin\CSAMPmux.exe [2010-3-5 169224]
R2 caf;CA DSM r12 Common Application Framework;c:\program files\ca\dsm\bin\CAF.exe [2010-4-26 208648]
R2 CASPLiteAgent;CA Systems Performance LiteAgent;c:\program files\ca\sc\systems performance liteagent\bin\casplitegent.exe [2009-2-12 135168]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2004-6-8 49152]
R2 SDService;Unicenter Software Delivery;c:\program files\ca\unicenter software delivery\bin\SDServ.exe [2006-2-22 32768]
R2 SurveyorSD;Verdiem Surveyor Client;c:\program files\verdiem\surveyorsd\bin\SurveyorSD.exe [2008-8-1 2200832]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-11-26 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-11-26 36432]
R2 WebsenseDesktopClient;Websense Desktop Client;c:\program files\websense\wdc\WDC.exe [2008-5-31 479232]
R3 rcSmCard;rcSmCard;c:\windows\system32\drivers\rcSmCard.sys [2009-4-17 26128]
R3 rcVidCap;rcVidCap;c:\windows\system32\drivers\rcVidMpt.sys [2009-4-17 9872]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-10-8 335888]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-10-8 488768]
S3 CA_LIC_CLNT;CA-License Client;c:\windows\LIC98RMT.exe [2004-6-8 73728]
S3 CA_LIC_SRVR;CA-License Server;c:\windows\LIC98RMTD.exe [2004-6-8 73728]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2010-10-4 114704]
S3 RCSpyDDML;RCSpyDDML;c:\windows\system32\drivers\RCSpyMP.sys [2005-8-9 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-8 652552]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-12-29 18:29:27 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
2010-12-29 18:29:23 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-29 18:28:44 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-27 21:06:52 -------- d-----w- c:\program files\Mozilla Firefox 4.0 Beta 8
2010-12-22 18:32:21 49152 ----a-r-

c:\docume~1\dicarlv\applic~1\microsoft\installer\{68301107-b9db-4341-bd5f-d87d931e81d8}\Winjis.exe_5EBF60338A25438EA0B38CAFDB8E57D7.exe
2010-12-22 18:32:21 49152 ----a-r-

c:\docume~1\dicarlv\applic~1\microsoft\installer\{68301107-b9db-4341-bd5f-d87d931e81d8}\NewShortcut11_6CFF1E7389234A949C07687ECFA1D3A1.exe
2010-12-22 18:32:20 49152 ----a-r-

c:\docume~1\dicarlv\applic~1\microsoft\installer\{68301107-b9db-4341-bd5f-d87d931e81d8}\ARPPRODUCTICON.exe
2010-12-09 01:14:59 87552 --sha-r- c:\windows\system32\MSSTDFMTH.dll

==================== Find3M ====================

2010-12-30 02:48:02 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-21 12:12:30 389120 ----a-w- c:\windows\system32\html.iec
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 17:44:04.33 ===============

Attached File  Attach.zip   4.51KB   2 downloads
Attached File  ark.zip   1.82KB   5 downloads

#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:19 PM

Posted 06 January 2011 - 10:07 AM

Hello Nemo Agnomen


I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Thank you for your patience!!
PW

#5 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:19 PM

Posted 06 January 2011 - 10:13 AM

Hi Nemo Agnomen,

Before we begin I need to know if this is a business computer.

Please advise. :)


Thanks!!
PW

#6 Nemo Agnomen

Nemo Agnomen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 06 January 2011 - 05:57 PM

Government business, yes. I work for the state of California, and it is my work computer.

#7 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:19 PM

Posted 07 January 2011 - 05:03 AM

Hi Nemo Agnomen,

Have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist) of your problems?
I ask because I do not HELP remove malware from any business or corporate or institution related computers for several reasons:

  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

I will ask if another member of the MRT would like to help you.


Thanks!!
PW

#8 Nemo Agnomen

Nemo Agnomen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 07 January 2011 - 03:35 PM

Thanks. Meanwhile, I will check further on this end.

-v

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:19 AM

Posted 07 January 2011 - 06:40 PM

Hi Vincent,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. As you might know the helpers at BC are volunteers and mostly careful not to get involved in any legally uncertain process, apologies for any inconvenience. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more. Thank you.

Let see what is there.

Please download MBRCheck by clicking here and save it to your desktop.
  • Double click on the file to run it.
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

Edited by farbar, 07 January 2011 - 06:41 PM.


#10 Nemo Agnomen

Nemo Agnomen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 07 January 2011 - 07:35 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x031c27ec

Kernel Drivers (total 170):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xB9F4A000 pcmcia.sys
0xBA0B8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F05000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9EED000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB9ECD000 fltmgr.sys
0xB9EAC000 PGPfsfd.sys
0xB9E9A000 sr.sys
0xBA0F8000 Lbd.sys
0xB9E84000 DRVMCDB.SYS
0xBA4C4000 nwfilter.sys
0xB9E52000 PGPwded.sys
0xBA338000 PxHelp20.sys
0xB9E3B000 KSecDD.sys
0xB9DAE000 Ntfs.sys
0xB9D81000 NDIS.sys
0xBA108000 nicm.sys
0xB9D67000 Mup.sys
0xBA118000 agp440.sys
0xBA308000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xBA550000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA554000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB935B000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9347000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB931F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB92F5000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA430000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB92D1000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xBA438000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA318000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xBA440000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xBA448000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xBA138000 \SystemRoot\System32\DRIVERS\serial.sys
0xBA558000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB92BD000 \SystemRoot\System32\DRIVERS\parport.sys
0xBA148000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5F6000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xBA158000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA168000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB929A000 \SystemRoot\System32\DRIVERS\ks.sys
0xBA777000 \SystemRoot\system32\DRIVERS\rcVidMpt.sys
0xBA779000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA178000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xBA560000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB9283000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA188000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA198000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xBA450000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB9272000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA1A8000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xBA458000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xBA460000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB9242000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xBA1E8000 \SystemRoot\System32\DRIVERS\termdd.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\rcSmCard.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xBA5FE000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB91E4000 \SystemRoot\System32\DRIVERS\update.sys
0xBA580000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xBA468000 \SystemRoot\system32\DRIVERS\omci.sys
0xB8C15000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xB7412000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA3BF5000 \SystemRoot\system32\drivers\sthda.sys
0xA3BD1000 \SystemRoot\system32\drivers\portcls.sys
0xB680F000 \SystemRoot\system32\drivers\drmk.sys
0xA3B97000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xA3AA0000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xA39EA000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xB63CD000 \SystemRoot\System32\Drivers\Modem.SYS
0xB67EF000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xBA5E8000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xBA5EA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB4C07000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5EC000 \SystemRoot\System32\Drivers\Beep.SYS
0xB63BD000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xB63B5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB63AD000 \SystemRoot\System32\drivers\vga.sys
0xBA5EE000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5F0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB63A5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB639D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB6532000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xA38B3000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xA385A000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xA3832000 \SystemRoot\System32\DRIVERS\netbt.sys
0xA3810000 \SystemRoot\System32\drivers\afd.sys
0xB67DF000 \SystemRoot\System32\DRIVERS\netbios.sys
0xB67BF000 \SystemRoot\System32\Drivers\wstdixp.sys
0xA37FD000 \SystemRoot\System32\Drivers\WSKDLL.SYS
0xB67AF000 \SystemRoot\System32\Drivers\wscam6300.sys
0xA37C6000 \SystemRoot\System32\drivers\truecrypt.sys
0xA37B5000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xA3794000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xB6395000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB679F000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xA2851000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xA27E1000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB678F000 \SystemRoot\System32\Drivers\Fips.SYS
0x9BB07000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9BA77000 \SystemRoot\system32\DRIVERS\usbccid.sys
0xB3DDC000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB4D76000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB4C2F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB3DD8000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xA39E2000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA39DA000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xB4D66000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xB68EF000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB6536000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0x9B9B2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB54E6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA590000 \SystemRoot\System32\drivers\Dxapi.sys
0xA39BA000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB7871000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x9C58B000 \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
0x9C59B000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0x9BBFF000 \SystemRoot\System32\DLA\DLADResN.SYS
0x9B80C000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0x9C283000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xBA634000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xBA498000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x9B7F4000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x9B7DE000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xBA3A8000 \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
0xB9D22000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xBA3B0000 \SystemRoot\system32\NetWare\resmgr.sys
0x9B767000 \SystemRoot\system32\NetWare\srvloc.sys
0x9E5EE000 \SystemRoot\system32\NetWare\NWSNS.sys
0x9B7D6000 \SystemRoot\system32\NetWare\NWHOST.sys
0xBA1B8000 \SystemRoot\system32\NetWare\nwdns.sys
0x9B6C4000 \SystemRoot\system32\NetWare\nwfs.sys
0xBA408000 \SystemRoot\system32\NetWare\nwslp.sys
0x9B687000 \SystemRoot\System32\Drivers\PGPdisk.SYS
0xB3DF0000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xBA420000 \SystemRoot\system32\NetWare\nwdhcp.sys
0xB94B8000 \SystemRoot\System32\Drivers\PGPsdk.sys
0x9B5B8000 \SystemRoot\System32\DRIVERS\srv.sys
0x9AC99000 \SystemRoot\system32\drivers\wdmaud.sys
0x9ADC6000 \SystemRoot\system32\drivers\sysaudio.sys
0x9A34B000 \SystemRoot\System32\Drivers\Udfs.SYS
0xBA358000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9A25E000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0x9A11A000 \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
0x9A0CE000 \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 71):
0 System Idle Process
4 System
892 C:\WINDOWS\system32\smss.exe
996 csrss.exe
1020 C:\WINDOWS\system32\winlogon.exe
1064 C:\WINDOWS\system32\services.exe
1076 C:\WINDOWS\system32\lsass.exe
1304 C:\WINDOWS\system32\svchost.exe
1392 svchost.exe
1504 C:\WINDOWS\system32\svchost.exe
1600 C:\WINDOWS\system32\svchost.exe
1752 svchost.exe
1764 C:\WINDOWS\system32\svchost.exe
1828 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1960 C:\WINDOWS\system32\spoolsv.exe
2012 scardsvr.exe
256 C:\Program Files\CA\SC\CAM\bin\cam.exe
280 C:\Program Files\CA\SC\Csam\SockAdapter\bin\CSAMPmux.exe
296 C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\casplitegent.exe
408 C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
448 C:\Program Files\Java\jre6\bin\jqs.exe
464 C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\RtaAgent.exe
492 C:\WINDOWS\LogWatNT.exe
568 C:\WINDOWS\system32\tcpsvcs.exe
604 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
656 C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
704 C:\WINDOWS\system32\PGPserv.exe
1124 C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
1440 C:\WINDOWS\system32\rundll32.exe
1472 C:\WINDOWS\system32\PSIService.exe
1528 C:\Program Files\CA\Unicenter Software Delivery\BIN\SDServ.exe
1636 C:\Program Files\Verdiem\SurveyorSD\Bin\SurveyorSD.exe
1848 wdfmgr.exe
1868 C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.exe
188 WDC.exe
248 C:\Program Files\CA\DSM\bin\CAF.exe
356 C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
680 wmiprvse.exe
2948 C:\Program Files\CA\DSM\bin\cfsmsmd.exe
3240 C:\Program Files\CA\DSM\bin\ccnfAgent.exe
3316 C:\Program Files\CA\DSM\bin\cfnotsrvd.exe
3356 C:\Program Files\CA\DSM\bin\ccsmagtd.exe
3520 C:\Program Files\CA\DSM\bin\rcHost.exe
3684 C:\Program Files\CA\DSM\bin\amswmagt.exe
3924 C:\Program Files\CA\DSM\bin\cfFTPlugin.exe
2052 unsecapp.exe
2492 C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
792 C:\WINDOWS\Temp\HV2AAD.EXE
476 C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
2596 C:\WINDOWS\explorer.exe
2044 C:\WINDOWS\system32\nwtray.exe
3552 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
4064 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
1204 C:\WINDOWS\system32\hkcmd.exe
2168 C:\WINDOWS\system32\igfxpers.exe
2184 C:\WINDOWS\system32\igfxsrvc.exe
2212 C:\WINDOWS\stsystra.exe
3400 C:\Program Files\Verdiem\SurveyorSD\Bin\SurveyorSession.exe
2444 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2364 C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
2692 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
3232 C:\WINDOWS\system32\ctfmon.exe
2716 C:\Program Files\shortkey\SHORTKEY.EXE
2852 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
1264 C:\Documents and Settings\All Users\Application Data\Prolaw Local\prolaw.exe
2292 C:\Program Files\TrueCrypt\TrueCrypt.exe
3408 C:\Program Files\GroupWise\grpwise.exe
748 C:\Program Files\NoteTab Light\NoteTab.exe
2896 C:\Program Files\Mozilla Firefox 4.0 Beta 8\firefox.exe
3820 C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
3076 C:\Documents and Settings\DiCarlV\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> error 32
\\.\T: --> error 1

PhysicalDrive0 Model Number: HitachiHTS721080G9SA00, Rev: MC4OC10H

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: EC1541E9C8AFFE86183B15D64533A0F831FF3F21


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:19 AM

Posted 07 January 2011 - 07:40 PM

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


#12 Nemo Agnomen

Nemo Agnomen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 07 January 2011 - 07:46 PM

No reboot requested by TDSSKiller. Log below.

-v

--

2011/01/07 16:44:20.0312 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/07 16:44:20.0312 ================================================================================
2011/01/07 16:44:20.0312 SystemInfo:
2011/01/07 16:44:20.0312
2011/01/07 16:44:20.0312 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/07 16:44:20.0312 Product type: Workstation
2011/01/07 16:44:20.0312 ComputerName: HQBMCF-7DV7VC1
2011/01/07 16:44:20.0312 UserName: DiCarlV
2011/01/07 16:44:20.0312 Windows directory: C:\WINDOWS
2011/01/07 16:44:20.0312 System windows directory: C:\WINDOWS
2011/01/07 16:44:20.0312 Processor architecture: Intel x86
2011/01/07 16:44:20.0312 Number of processors: 1
2011/01/07 16:44:20.0312 Page size: 0x1000
2011/01/07 16:44:20.0312 Boot type: Normal boot
2011/01/07 16:44:20.0312 ================================================================================
2011/01/07 16:44:20.0553 Initialize success
2011/01/07 16:44:24.0308 ================================================================================
2011/01/07 16:44:24.0308 Scan started
2011/01/07 16:44:24.0308 Mode: Manual;
2011/01/07 16:44:24.0308 ================================================================================
2011/01/07 16:44:27.0513 ================================================================================
2011/01/07 16:44:27.0513 Scan finished
2011/01/07 16:44:27.0513 ================================================================================

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:19 AM

Posted 07 January 2011 - 07:53 PM

Yet we need to check MBR to make sure.

  • Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).
  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @echo off
    MBR.exe -c 0 1 MBR_BKP.zip
    echo.&echo. Done!
    pause
    

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this: Posted Image
  • Double-click to run it.
  • The command prompt shows "Done!". Press a key to exit. A file will be made on your desktop (MBR_BKP.zip). Please attach it to your next reply.


#14 Nemo Agnomen

Nemo Agnomen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 07 January 2011 - 08:01 PM

MBR_BKP.zip attached.

-v

--

Attached File  MBR_BKP.zip   512bytes   4 downloads

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:19 AM

Posted 07 January 2011 - 08:14 PM

The MBR doesn't show the pattern of the known MBR infections. It doesn't show the pattern of known good XP MBR too that is why both MBRcheck and GMER suspect it.

We want to run ComboFix. I'm not sure if CA will be effectively disabled to be able to run the tool.

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users