Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes has blocked access to a potentially malicious website


  • This topic is locked This topic is locked
19 replies to this topic

#1 keepncool

keepncool

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 26 December 2011 - 08:59 PM

I have been getting a message from malwarebytes indicating it has blocked access to a potentially malicous website. There a number of different IP addresses that show on the log. My computer will no longer go into standby( it just hangs on a black screen). I have not noticed any other problems. Any help is greatly appreciated.
thanks,
mike

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Run by cyorkmi at 17:19:04 on 2011-12-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3036.1220 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\LonWorks\bin\LnsMtsSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Inetpub\Wwwroot\MetasysIII\Tool\bin\ActionQueue.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\WINDOWS\system32\PrintCtrl.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Altiris\Carbon Copy\client.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\SoftGate\SoftGateNotify.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\PrintDisp.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\cyorkmi\Desktop\Metalog.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.johnsoncontrols.com/
uInternet Connection Wizard,ShellNext = hxxp://localhost/SCT
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\cyorkmi\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AccessManager] c:\program files\accessmanager\client\AccessMgr.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Softgate] c:\program files\softgate\SoftGateNotify.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [PrintDisp] c:\windows\system32\PrintDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\documents and settings\cyorkmi\start menu\programs\startup\shortc~1.lnk - c:\documents and settings\cyorkmi\desktop\Metalog.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\aim version update reminder.lnk - c:\program files\johnson controls\aim\aimver\reminder.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\auto run of videocam suite 1.0.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\cisco systems vpn client.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\dvd check.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program files\microsoft office\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1310616047109
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.johnsoncontrols.com/eRoomSetup/client.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://jwimkns12.na.jci.com/dwa8W.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A93F2C38-ECE3-46F5-A7FB-3C10234008A3} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: AMINIT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cyorkmi\application data\mozilla\firefox\profiles\6szzaxkv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64808
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\cyorkmi\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.6.0_23\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npeRoom7.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2011-7-5 24064]
R2 AMBroker;Access Manager Configuration Service;c:\program files\accessmanager\client\AMBroker.exe [2011-7-5 81920]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-7-5 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-7-5 108392]
R2 hhdserhelp;HHD Software Serial Monitoring Helper Driver;c:\windows\system32\drivers\hhdserhelp.sys [2011-8-29 17192]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [2011-7-4 62776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-5 366152]
R2 MIIIAQ;Metasys III Action Queue;c:\inetpub\wwwroot\metasysiii\tool\bin\ActionQueue.exe [2011-6-27 192512]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2011-8-1 65536]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-7-5 2440632]
R2 TSM Scheduler;TSM Scheduler;c:\program files\tivoli\tsm\baclient\dsmcsvc.exe [2011-7-5 3117056]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2011-7-5 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-7-5 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-7-5 240344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-11 105592]
R3 hhdserial32;HHD Software Serial Monitoring Filter Driver;c:\windows\system32\drivers\hhdserial32.sys [2011-8-29 31016]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2011-7-5 41216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-5 22216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110810.003\NAVENG.SYS [2011-8-11 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110810.003\NAVEX15.SYS [2011-8-11 1576312]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2011-7-5 47616]
S1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2011-7-5 9216]
S2 ChkLpt;ChkLpt;c:\windows\system32\drivers\Chklpt.sys [2011-7-5 6364]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-7-5 23888]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\accessmanager\client\DAPlugin.exe [2011-7-5 81920]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys --> c:\windows\system32\drivers\e1k5132.sys [?]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2011-7-5 29404]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [2011-7-4 66872]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-12-26 41272]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\common files\hhd software\device monitor\NDMSHLP.sys [2005-5-24 7632]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\accessmanager\smoc\spi_da.exe [2011-7-5 81920]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-7-5 189792]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-9-4 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-26 18:14:53 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-25 21:49:44 -------- d-----w- c:\program files\SpywareBlaster
2011-12-25 17:59:11 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-24 02:13:00 -------- d-----w- c:\program files\ARRL 2010 Handbook
2011-12-22 02:09:45 -------- d-----w- c:\documents and settings\cyorkmi\application data\Simon Brown, HB9DRV
2011-12-22 02:09:29 -------- d-----w- c:\program files\Amateur Radio
2011-12-22 02:09:18 724992 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iKernel.dll
2011-12-22 02:09:18 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\ctor.dll
2011-12-22 02:09:18 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\DotNetInstaller.exe
2011-12-22 02:09:18 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\Setup.dll
2011-12-22 02:09:18 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iscript.dll
2011-12-22 02:09:18 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iuser.dll
2011-12-22 02:09:18 184452 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iGdi.dll
2011-12-21 21:55:34 -------- d-----w- c:\documents and settings\cyorkmi\local settings\application data\GlobalSCAPE
2011-12-21 21:55:34 -------- d-----w- c:\documents and settings\all users\application data\GlobalSCAPE
2011-12-21 21:55:15 -------- d-----w- c:\program files\GlobalSCAPE
2011-12-21 05:39:55 -------- d-----w- C:\DXLab
2011-12-20 11:57:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-20 04:05:43 102400 ----a-w- c:\windows\RegBootClean.exe
2011-12-20 03:30:53 38056 ----a-w- c:\windows\system32\drivers\WGX.SYS
2011-12-19 14:04:34 -------- d--h--w- c:\documents and settings\cyorkmi\application data\3E60CFE9
2011-12-04 15:57:22 -------- d-----w- c:\program files\MagicISO
2011-12-01 23:41:39 53248 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{dc33421c-0e1c-470a-be37-7b7c82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2011-12-01 23:41:39 53248 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{dc33421c-0e1c-470a-be37-7b7c82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2011-12-01 23:41:39 45056 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{dc33421c-0e1c-470a-be37-7b7c82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2011-12-01 23:41:39 40960 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{dc33421c-0e1c-470a-be37-7b7c82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2011-12-01 23:41:39 40960 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{dc33421c-0e1c-470a-be37-7b7c82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2011-12-01 23:41:39 40960 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{dc33421c-0e1c-470a-be37-7b7c82677812}\ARPPRODUCTICON.exe
2011-12-01 23:41:39 -------- d-----w- c:\program files\K1RFD
2011-11-30 20:50:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
==================== Find3M ====================
.
2011-12-21 05:42:02 249856 ------w- c:\windows\Setup1.exe
2011-12-21 05:41:59 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-11-30 20:50:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-22 17:48:48 229888 ----a-w- c:\documents and settings\cyorkmi\DataRefreshUI_5.2.0.5400.dll
2011-11-07 21:38:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-30 15:01:50 228352 ----a-w- c:\documents and settings\cyorkmi\DataRefreshUI_5.1.0.4400.dll
.
============= FINISH: 17:19:59.95 ===============

Edited by keepncool, 26 December 2011 - 09:02 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,627 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 PM

Posted 01 January 2012 - 09:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434654 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 January 2012 - 11:06 PM

There have not been any changes since the request for help. I was able to get the scans completed, but i had to uncheck the devices tab in the GMER to get a completed scan.
thanks for your help.
keepncool

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Run by cyorkmi at 21:36:24 on 2012-01-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3036.1363 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\LonWorks\bin\LnsMtsSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Inetpub\Wwwroot\MetasysIII\Tool\bin\ActionQueue.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\WINDOWS\system32\PrintCtrl.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Altiris\Carbon Copy\client.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\SoftGate\SoftGateNotify.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\PrintDisp.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\cyorkmi\Desktop\Metalog.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.johnsoncontrols.com/
uInternet Connection Wizard,ShellNext = hxxp://localhost/SCT
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\cyorkmi\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_Plugin.exe -update plugin
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AccessManager] c:\program files\accessmanager\client\AccessMgr.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Softgate] c:\program files\softgate\SoftGateNotify.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [PrintDisp] c:\windows\system32\PrintDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\documents and settings\cyorkmi\start menu\programs\startup\shortc~1.lnk - c:\documents and settings\cyorkmi\desktop\Metalog.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\aim version update reminder.lnk - c:\program files\johnson controls\aim\aimver\reminder.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\auto run of videocam suite 1.0.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\cisco systems vpn client.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\dvd check.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program files\microsoft office\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1310616047109
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.johnsoncontrols.com/eRoomSetup/client.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://jwimkns12.na.jci.com/dwa8W.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A93F2C38-ECE3-46F5-A7FB-3C10234008A3} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: AMINIT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cyorkmi\application data\mozilla\firefox\profiles\6szzaxkv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64808
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\cyorkmi\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.6.0_23\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npeRoom7.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2011-7-5 24064]
R2 AMBroker;Access Manager Configuration Service;c:\program files\accessmanager\client\AMBroker.exe [2011-7-5 81920]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-7-5 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-7-5 108392]
R2 hhdserhelp;HHD Software Serial Monitoring Helper Driver;c:\windows\system32\drivers\hhdserhelp.sys [2011-8-29 17192]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [2011-7-4 62776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-5 652872]
R2 MIIIAQ;Metasys III Action Queue;c:\inetpub\wwwroot\metasysiii\tool\bin\ActionQueue.exe [2011-6-27 192512]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2011-8-1 65536]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-7-5 2440632]
R2 TSM Scheduler;TSM Scheduler;c:\program files\tivoli\tsm\baclient\dsmcsvc.exe [2011-7-5 3117056]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2011-7-5 475520]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-7-5 228408]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-7-5 240344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-11 105592]
R3 hhdserial32;HHD Software Serial Monitoring Filter Driver;c:\windows\system32\drivers\hhdserial32.sys [2011-8-29 31016]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2011-7-5 41216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-5 20464]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110810.003\NAVENG.SYS [2011-8-11 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110810.003\NAVEX15.SYS [2011-8-11 1576312]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2011-7-5 47616]
S1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2011-7-5 9216]
S2 ChkLpt;ChkLpt;c:\windows\system32\drivers\Chklpt.sys [2011-7-5 6364]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-7-5 23888]
S3 DAPlugin;Visual Insight DA Plugin;c:\program files\accessmanager\client\DAPlugin.exe [2011-7-5 81920]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys --> c:\windows\system32\drivers\e1k5132.sys [?]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2011-7-5 29404]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [2011-7-4 66872]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NDMSHLP;Device Monitor Helper Driver;c:\program files\common files\hhd software\device monitor\NDMSHLP.sys [2005-5-24 7632]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\accessmanager\smoc\spi_da.exe [2011-7-5 81920]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-7-5 189792]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-9-4 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-31 01:17:00 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-12-31 01:16:55 -------- d-----w- c:\documents and settings\cyorkmi\local settings\application data\PCHealth
2011-12-31 01:15:55 851176 ----a-w- c:\windows\system32\winusbcoinstaller2.dll
2011-12-31 01:15:55 1837296 ----a-w- c:\windows\system32\WUDFUpdate_01009.dll
2011-12-31 01:15:55 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2011-12-31 01:15:48 -------- d-----w- c:\program files\Maxim Integrated Products
2011-12-30 15:42:02 6144 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{9035e260-3188-11d4-80f7-0050da5a2c97}\IconTmpl.0DED9891_8CB9_41F7_A2A0_A7E11270DB0A.exe
2011-12-30 15:42:02 5120 ----a-r- c:\documents and settings\cyorkmi\application data\microsoft\installer\{9035e260-3188-11d4-80f7-0050da5a2c97}\IconTmpl1.0DED9891_8CB9_41F7_A2A0_A7E11270DB0A.exe
2011-12-30 15:41:59 -------- d-----w- c:\program files\National Instruments
2011-12-30 15:41:31 -------- d-----w- c:\program files\Weather station3.1(1-wire)
2011-12-30 15:41:12 -------- d-----w- c:\program files\Silabs
2011-12-30 15:41:02 -------- d-----w- c:\windows\system32\Silabs
2011-12-30 15:40:48 -------- d-----w- C:\SiLabs
2011-12-25 21:49:44 -------- d-----w- c:\program files\SpywareBlaster
2011-12-25 17:59:11 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-24 02:13:00 -------- d-----w- c:\program files\ARRL 2010 Handbook
2011-12-22 02:09:45 -------- d-----w- c:\documents and settings\cyorkmi\application data\Simon Brown, HB9DRV
2011-12-22 02:09:29 -------- d-----w- c:\program files\Amateur Radio
2011-12-22 02:09:18 724992 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iKernel.dll
2011-12-22 02:09:18 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\ctor.dll
2011-12-22 02:09:18 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\DotNetInstaller.exe
2011-12-22 02:09:18 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\Setup.dll
2011-12-22 02:09:18 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iscript.dll
2011-12-22 02:09:18 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iuser.dll
2011-12-22 02:09:18 184452 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iGdi.dll
2011-12-21 21:55:34 -------- d-----w- c:\documents and settings\cyorkmi\local settings\application data\GlobalSCAPE
2011-12-21 21:55:34 -------- d-----w- c:\documents and settings\all users\application data\GlobalSCAPE
2011-12-21 21:55:15 -------- d-----w- c:\program files\GlobalSCAPE
2011-12-21 05:39:55 -------- d-----w- C:\DXLab
2011-12-20 11:57:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-20 04:05:43 102400 ----a-w- c:\windows\RegBootClean.exe
2011-12-20 03:30:53 38056 ----a-w- c:\windows\system32\drivers\WGX.SYS
2011-12-19 14:04:34 -------- d--h--w- c:\documents and settings\cyorkmi\application data\3E60CFE9
2011-12-04 15:57:22 -------- d-----w- c:\program files\MagicISO
.
==================== Find3M ====================
.
2011-12-21 05:42:02 249856 ------w- c:\windows\Setup1.exe
2011-12-21 05:41:59 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 20:50:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-30 20:50:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-22 17:48:48 229888 ----a-w- c:\documents and settings\cyorkmi\DataRefreshUI_5.2.0.5400.dll
2011-11-07 21:38:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:38:04.37 ===============
Attached File  ARK.log   20.25KB   2 downloadsAttached File  attach.txt   19.49KB   2 downloads

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:15 PM

Posted 02 January 2012 - 06:29 PM

Greetings keepncool and Welcome to the Forums,

Is this your machine or your employer's? I wouldn't suspect a connection between the messages from MBAM and the system not going into stand-by. Those messages can be turned off if you like. Let me ask first, how long you have been using MBAM?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 02 January 2012 - 08:49 PM

I run MBAM once every month or two(and have since i got this computer), but this time Strange things were happining before I ran it. I got a notice from my ISP that my computer had a bot. I ran MBAM, and it cleaned off one, but it started informing me that my computer was calling out to other sites. I think there is still a bot on it. This is my computer from work(which is the only reason it still has IE6 And several older versons of java )
Thanks,
Mike

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:15 PM

Posted 02 January 2012 - 09:03 PM

OK, then please advise us as to whether or not your employer has it's own IT department. Does your employer allow you to make system changes on a company owned computer, and why then, if there is an IT department, would they allow such a thing. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:15 PM

Posted 04 January 2012 - 08:46 AM

Still with us keepncool?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 04 January 2012 - 06:27 PM

Sorry for the delay, i have been out of town working.
We do have an IT Dept, but only off site( across the country) but they don't maintain our computers remotely. If there is a problem we can not resolve, it has to be packed up and mailed to them, and in this case all they will do is wipe the hard drive and start over. We maintain our own computers in the field.
Thanks,
Mike

#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:15 PM

Posted 04 January 2012 - 07:41 PM

I see. So long as you have your employer's approval, it's fine with us.
Next, please temporarily disable your on board protective programs as detailed Here. Carefully read through that entire thread to make certain any and all programs YOU have on board are disabled.

Next:
It is extremely important that you DO NOT close this program until or unless you are directed to do so. Once the program is closed, it will automatically uninstall itself taking with it anything that was removed and the related report.

Please read through this instruction thoroughly before you begin. Save these instructions in a notepad file, or print them out if necessary so you can refer to them should something go wrong for you during your attempt to carry out these steps. If you have any questions, please ask first before you attempt anything at all.

Please download the AVP removal tool to the desktop and double-click the executable to install it. Select your language preference, accept the agreement and click the Start button. You should see something like this:
Posted Image
...click the settings button...it's the small "Gear" icon just to the right of the large yellow button. Make sure the following boxes are checked:
System memory
Hidden startup objects
Disk boot sectors
Computer


...Next, click the Actions link and click the bullet item labeled "Select action". Disinfect and Delete if disinfection fails should already be checked by default...then return to the Automatic Scan tab and click the Start scanning button.

If you happen to receive a pop up during the scan which reads "File C:\whatever...is password protected, you can safely ignore them. The program will find it's own password protected files and report these during the scan. If there is a genuine malicious file that is password protected, we will deal with it manually later.

The scan will begin and you will see a progress bar and scanned objects counter. When the scan completes, the progress bar will disappear. Click the "Reports" tab icon to the far right, just under the large yellow button. Click on the "Automatic scan report" link, then click the save button. Save the report to your desktop as Scan 1. The report will be saved as a text file.

That file is going to be very large...too large to post the entire thing. What I need you to do at this point, is to open that log in "Notepad", then click Edit from the menu at the top and select "Find". Using that Find search function, use these as search terms:
Disinfected
Cleared of viruses
Detected


Now...you'll need to search for those terms in that log, one at a time. Having selected the "Edit-->Find" function in Notepad, in the Find what search box, type in the word Disinfected then click the Find Next button. The search function will find anything in the text file having the name "Disinfected". Once it presents the findings, copy that individual line item and paste it into another blank notepad, then continue searching by clicking the Find Next button. Do this in like manner, for each of the search terms identified above. Once you complete the search and copied everything you found into the other blank notepad, save it to your desktop as Edited_AVP_Log.txt.

Next, please return to the AVP scanning utility and click the Manual Disinfection tab. Please click the Start gathering system information button. You'll again see a progress bar while the utility collects the necessary information. When it completes, the progress bar will disappear. Click the "Report sending" tab, then click on the link avptool sysinfo.zip (open the file manager). Attach that zip file here on your next reply along with the contents of the "notepad" file that you saved from the above "First scan" instruction. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 04 January 2012 - 09:55 PM

I will be happy to stay on the computer and run this program tonight as long as I will be able to finish with this program tonight. I will need to use my computer tomorrow at work.( I will not allow the computer to get back online until you instruct me to.
thanks,
Mike

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:15 PM

Posted 05 January 2012 - 04:10 AM

That's fine. Just post the requested log(s) when your time permits. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:15 PM

Posted 07 January 2012 - 09:41 AM

Still with us keepncool?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 07 January 2012 - 09:56 AM

Yea, the weekend is finally here, so I have the time necessary to work on this problem.
Here is the scan you requested After KVRT. KVRT has not been shutdown per your instructions.
Thanks for your time and help.
Mike

Status: Detected (events: 1)
1/6/2012 8:34:32 PM Detected Trojan program Rootkit.Win32.ZAccess.aml c:\WINDOWS\system32\drivers\redbook.sys High
Status: Deleted (events: 1)
1/6/2012 10:50:03 PM Deleted Trojan program Backdoor.Win32.Bifrose.dwhs C:\Program Files\Common Files\KnifeEdge\CPanel.exe High
Status: Quarantined (events: 3)
1/6/2012 9:16:40 PM Quarantined virus HEUR:Trojan.Win32.Generic c:\WINDOWS\system32\drivers\redbook.sys High
1/6/2012 11:07:38 PM Quarantined virus HEUR:Trojan.Win32.Generic C:\TEMP\HouseCall\log\300CCEF1-2198-43E5-854F-6EE073E2ACA5\backup\1//PE-Crypt.XorPE High
1/6/2012 11:07:38 PM Quarantined virus HEUR:Trojan.Win32.Generic C:\TEMP\HouseCall\log\300CCEF1-2198-43E5-854F-6EE073E2ACA5\backup\1 High
Status: Disinfected (events: 2)
1/6/2012 9:34:54 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.bt C:\Documents and Settings\cyorkmi\Application Data\Sun\Java\Deployment\cache\6.0\32\5f983aa0-73aff4b3/Translate.class High
1/6/2012 9:34:54 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.bt C:\Documents and Settings\cyorkmi\Application Data\Sun\Java\Deployment\cache\6.0\32\5f983aa0-73aff4b3 High

Attached Files


Edited by keepncool, 07 January 2012 - 09:57 AM.


#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:15 PM

Posted 09 January 2012 - 11:57 AM

Please return to the AVP scanning utility and click the "Manual Disinfection" tab. Click on the Script execution link far right side. Copy and paste the below script indicated in Bold text, into the text window, then click the Run script button:
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
BC_DeleteSvc('SABProcEnum');
BC_DeleteFile('C:\LonWorks\Bin\pt95Fbs.dll');
BC_DeleteFile('C:\LonWorks\bin\pcc10cfg.cpl');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteWizard('TSW',2,3,true);
BC_Activate;
RebootWindows(true);
end.


When it completes, the system will reboot. Post back when the system comes back up and let us know how things are running for you now. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 keepncool

keepncool
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 11 January 2012 - 06:08 AM

It looks like it is working much better. I turned MBAM back on, and connected to the internet, and it no longer gives me that warning.
thanks,
Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users