janussea
Members-
Posts
5 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by janussea
-
My apologies, I thought I had. Here it is: ComboFix 11-11-30.01 - bcarsto 11/30/2011 12:17:54.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1475 [GMT -5:00] Running from: C:\ComboFix.exe . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\bcarsto\Application Data\JuniperExtXP.exe c:\documents and settings\bcarsto\Application Data\JuniperSetup.exe c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396} c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\chrome.manifest c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\chrome\xulcache.jar c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\defaults\preferences\xulcache.js c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\install.rdf c:\documents and settings\bcarsto\g2mdlhlpx.exe c:\documents and settings\bcarsto\Recent\Thumbs.db c:\documents and settings\bcarsto\Start Menu\Programs\AV Protection 2011 c:\documents and settings\bcarsto\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk c:\documents and settings\bcarsto\WINDOWS c:\documents and settings\mail\~inbox.pst.tmp c:\program files\LP c:\program files\LP\D0C2\4.tmp c:\program files\LP\D0C2\57.tmp c:\program files\LP\D0C2\59.tmp C:\Thumbs.db c:\windows\$NtUninstallKB45751$ c:\windows\$NtUninstallKB45751$\3265949725\@ c:\windows\$NtUninstallKB45751$\3265949725\bckfg.tmp c:\windows\$NtUninstallKB45751$\3265949725\cfg.ini c:\windows\$NtUninstallKB45751$\3265949725\Desktop.ini c:\windows\$NtUninstallKB45751$\3265949725\keywords c:\windows\$NtUninstallKB45751$\3265949725\kwrd.dll c:\windows\$NtUninstallKB45751$\3265949725\L\lfisamud c:\windows\$NtUninstallKB45751$\3265949725\lsflt7.ver c:\windows\$NtUninstallKB45751$\3265949725\U\00000001.@ c:\windows\$NtUninstallKB45751$\3265949725\U\00000002.@ c:\windows\$NtUninstallKB45751$\3265949725\U\00000004.@ c:\windows\$NtUninstallKB45751$\3265949725\U\80000000.@ c:\windows\$NtUninstallKB45751$\3265949725\U\80000004.@ c:\windows\$NtUninstallKB45751$\3265949725\U\80000032.@ c:\windows\$NtUninstallKB45751$\979825987 c:\windows\CSC\d6 c:\windows\dasetup.log c:\windows\svcs.exe c:\windows\system32\Cache c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\PowerToyReadme.htm c:\windows\system32\usmt\migwiz_a.exe . Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_RkHit -------\Legacy_NetworkLog -------\Service_NetworkLog . . ((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 ))))))))))))))))))))))))))))))) . . 2011-11-30 16:44 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys 2011-11-22 01:51 . 2011-11-22 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2011-11-21 02:58 . 2011-11-21 02:58 -------- d-----w- c:\documents and settings\bcarsto\Application Data\Tific 2011-11-21 02:57 . 2011-11-21 02:57 -------- d-----w- c:\documents and settings\bcarsto\Local Settings\Application Data\Symantec 2011-11-21 01:20 . 2011-11-21 01:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE 2011-11-20 01:47 . 2011-11-20 01:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2011-11-20 01:46 . 2011-11-20 01:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache 2011-11-20 01:45 . 2011-11-20 01:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Juniper Networks 2011-11-20 00:22 . 2011-11-21 01:44 -------- d-----w- c:\documents and settings\bcarsto\Local Settings\Application Data\NPE 2011-11-19 12:24 . 2011-11-19 12:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ID Vault 2011-11-19 12:24 . 2011-11-19 12:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault 2011-11-19 01:52 . 2011-11-19 01:52 -------- d-----w- c:\documents and settings\bcarsto\Application Data\Malwarebytes 2011-11-19 01:51 . 2011-11-19 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-19 01:51 . 2011-11-19 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-19 01:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-19 01:07 . 2011-11-19 01:07 -------- d-----w- c:\documents and settings\bcarsto\Application Data\tLL99hTXqjUClIr 2011-11-19 01:07 . 2011-11-19 01:07 -------- d-----w- c:\documents and settings\bcarsto\Application Data\TVrrllOBtxP0cSi 2011-11-18 23:37 . 2011-11-19 02:28 -------- d-----w- c:\program files\F1B49 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\207F1 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\QQQJJ6dEK8f 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\CAA00uvS2ibFpm5 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\neeekIIBrzOy 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\qQQJJ6dEK8fR9hX 2011-11-15 22:57 . 2011-11-15 22:57 -------- d-----w- c:\program files\Winmail Reader . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-16 13:25 . 2011-05-18 11:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-19 13:07 . 2011-10-17 20:03 216064 ----a-w- c:\windows\iun3405.exe 2011-10-10 14:22 . 2007-06-18 23:44 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41 . 2007-10-09 17:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2009-03-13 16:28 . 2009-03-13 16:28 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2009-03-13 16:28 . 2009-03-13 16:28 107936 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll 2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll 2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll 2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll 2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll 2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll 2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll 2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll 2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll 2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Seagull Drivers"="ssdal_nc.exe startup" [X] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-10-20 6144] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys] @="" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Dialer (OnStartup).lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk backup=c:\windows\pss\VPN Dialer (OnStartup).lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] 2006-01-02 21:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] 2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] 2007-10-25 20:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2006-11-05 15:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2004-02-23 03:44 32881 ----a-w- c:\program files\Business Objects\JRE\bin\jusched.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Visual Studio .NET 2003\\Common7\\IDE\\devenv.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Telerik\\RadControls for ASP.NET AJAX Q2 2010\\Live Demos\\StartExamples.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"= "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"= "c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Telerik\\RadControls for ASP.NET AJAX Q1 2011\\Live Demos\\StartExamples.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6160:TCP"= 6160:TCP:Seagull Driver Networking . R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 10:23 PM 64160] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/18/2011 8:51 PM 366152] R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3/17/2011 6:08 PM 29261152] R2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [11/5/2008 4:49 PM 147456] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/18/2011 8:51 PM 22216] R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [5/10/2007 1:54 PM 17632] R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [4/5/2010 1:07 PM 18656] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 Label Print;EMS Label Print;c:\hazox\EMSRVR40\LABELP~1\EMSLAB~2.EXE --> c:\hazox\EMSRVR40\LABELP~1\EMSLAB~2.EXE [?] S3 Label;EMS Label;c:\hazox\EMSRVR40\LABELS~1\EMSLAB~2.EXE --> c:\hazox\EMSRVR40\LABELS~1\EMSLAB~2.EXE [?] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880] S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/17/2011 6:08 PM 202592] S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 8:22 AM 95592] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000] S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [3/17/2011 6:08 PM 13664] S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [11/24/2008 9:31 PM 346976] S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1645522239-839522115-1609Core.job - c:\documents and settings\bcarsto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 01:00] . 2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1645522239-839522115-1609UA.job - c:\documents and settings\bcarsto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 01:00] . 2011-11-30 c:\windows\Tasks\User_Feed_Synchronization-{BB6A73FA-2B80-4959-847F-6148C906F98E}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ------- Supplementary Scan ------- . uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105 Trusted Zone: dyndns.info\emsweb Trusted Zone: hazox.com\vpn Trusted Zone: intuit.com\ttlc Trusted Zone: localhost Trusted Zone: ts4 Trusted Zone: turbotax.com Trusted Zone: vertellus.com\mycow DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab FF - ProfilePath - c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . . ------- File Associations ------- . .txt=TextPad.txt . - - - - ORPHANS REMOVED - - - - . WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) HKLM-Run-NWEReboot - (no file) MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe AddRemove-KB955706_DTS9 - c:\windows\DTS9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_NS9 - c:\windows\NS9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_RS9 - c:\windows\RS9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_SQL9 - c:\windows\SQL9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_SQLTools9 - c:\windows\SQLTools9_KB955706_ENU\Hotfix.exe AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-30 13:12 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\prefs.js.BAK 41924 bytes . scan completed successfully hidden files: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql$SQL2005] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2005" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1409082233-1645522239-839522115-1609\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1156) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(6240) c:\windows\system32\WININET.dll c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll c:\program files\TortoiseSVN\bin\TortoiseStub.dll c:\program files\TortoiseSVN\bin\TortoiseSVN.dll c:\program files\TortoiseSVN\bin\intl3_tsvn.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Juniper Networks\Common Files\dsNcService.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\oracle\ora92\bin\omtsreco.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe c:\windows\system32\Ati2evxx.exe c:\program files\TortoiseSVN\bin\TSVNCache.exe c:\windows\stsystra.exe . ************************************************************************** . Completion time: 2011-11-30 13:25:01 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-30 18:24 . Pre-Run: 31,720,448,000 bytes free Post-Run: 32,838,901,760 bytes free . - - End Of File - - C5C3CDAD601DBB779257AF5DB9D138D0
-
Hello. Malwarebytes is blocking access to malicious website and my firefox is hijacked. Can someone please help me clean this from my PC? . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by bcarsto at 9:42:44 on 2011-11-25 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1026 [GMT -5:00] . . ============== Running Processes =============== . C:\windows\system32\Ati2evxx.exe C:\windows\system32\svchost -k DcomLaunch svchost.exe C:\windows\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\windows\System32\WLTRYSVC.EXE C:\windows\System32\bcmwltry.exe C:\windows\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe C:\windows\system32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\windows\Explorer.EXE C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\WLTRAY.exe C:\windows\stsystra.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\windows\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\svcs.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\windows\system32\notepad.exe C:\windows\system32\wuauclt.exe C:\windows\System32\ping.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe . ============== Pseudo HJT Report =============== . uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File {555d4d79-4bd2-4094-a395-cfc534424a05} uRun: [Google Update] "c:\documents and settings\bcarsto\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [NWEReboot] mRun: [seagull Drivers] ssdal_nc.exe startup mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: mswsock.dll Trusted Zone: dyndns.info\emsweb Trusted Zone: hazox.com\vpn Trusted Zone: intuit.com\ttlc Trusted Zone: localhost Trusted Zone: ts4 Trusted Zone: turbotax.com Trusted Zone: vertellus.com\mycow DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182273289609 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182273258609 DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://ts3/viewer/ActiveXViewer/CRViewer.dll DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://connect.vwr.com/downloads/VMware-viewclient.cab DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/webex/ieatgpc.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.us.henkel.com/dana-cached/setup/JuniperSetupSP1.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.us.henkel.com/dana-cached/sc/JuniperSetupClient.cab TCP: DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 TCP: Interfaces\{55998922-994C-4034-B7C9-4FFFA62E8241} : DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\bcarsto\application data\mozilla\firefox\profiles\hjzswzir.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2 FF - plugin: c:\documents and settings\bcarsto\application data\mozilla\plugins\npatgpc.dll FF - plugin: c:\documents and settings\bcarsto\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npstloader.dll FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Ext: XUL Cache: {1b669e51-7af0-4aec-bcfa-8414277b0396} - %profile%\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-18 366152] R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2011-3-17 29261152] R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-11-24 508928] R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2008-11-5 147456] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-18 22216] R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-5-10 17632] R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [2010-4-5 18656] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872] S3 Label Print;EMS Label Print;c:\hazox\emsrvr40\labelp~1\emslab~2.exe --> c:\hazox\emsrvr40\labelp~1\EMSLAB~2.EXE [?] S3 Label;EMS Label;c:\hazox\emsrvr40\labels~1\emslab~2.exe --> c:\hazox\emsrvr40\labels~1\EMSLAB~2.EXE [?] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880] S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2011-3-17 202592] S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\microsoft sql server\mssql.2\reporting services\reportserver\bin\ReportingServicesService.exe [2011-3-17 13664] S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?] S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2008-11-24 346976] S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000] . =============== File Associations =============== . .txt=TextPad.txt . =============== Created Last 30 ================ . 2011-11-24 15:18:23 508928 ----a-w- c:\windows\svcs.exe 2011-11-24 14:42:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-11-22 01:51:21 -------- d-----w- c:\documents and settings\all users\application data\PC Tools 2011-11-21 02:58:08 -------- d-----w- c:\documents and settings\bcarsto\application data\Tific 2011-11-21 02:57:37 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\Symantec 2011-11-20 00:22:22 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\NPE 2011-11-19 01:52:31 -------- d-----w- c:\documents and settings\bcarsto\application data\Malwarebytes 2011-11-19 01:51:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-11-19 01:51:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-19 01:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\TVrrllOBtxP0cSi 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\tLL99hTXqjUClIr 2011-11-18 23:37:09 -------- d-----w- c:\program files\F1B49 2011-11-18 23:36:26 -------- d-----w- c:\program files\LP 2011-11-18 23:36:26 -------- d-----w- c:\documents and settings\bcarsto\application data\207F1 2011-11-18 23:36:23 -------- d-----w- c:\documents and settings\bcarsto\application data\QQQJJ6dEK8f 2011-11-18 23:36:22 -------- d-----w- c:\documents and settings\bcarsto\application data\CAA00uvS2ibFpm5 2011-11-18 23:36:16 -------- d-----w- c:\documents and settings\bcarsto\application data\neeekIIBrzOy 2011-11-18 23:36:15 -------- d-----w- c:\documents and settings\bcarsto\application data\qQQJJ6dEK8fR9hX 2011-11-15 22:57:21 -------- d-----w- c:\program files\Winmail Reader . ==================== Find3M ==================== . 2011-11-16 13:25:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-19 13:07:16 216064 ----a-w- c:\windows\iun3405.exe 2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 9:50:47.09 ===============
-
Thanks to malwarebytes for blocking access to malicious site from my PC. Can someone help me rid system from this pest permanently? . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by bcarsto at 9:42:44 on 2011-11-25 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1026 [GMT -5:00] . . ============== Running Processes =============== . C:\windows\system32\Ati2evxx.exe C:\windows\system32\svchost -k DcomLaunch svchost.exe C:\windows\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\windows\System32\WLTRYSVC.EXE C:\windows\System32\bcmwltry.exe C:\windows\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe C:\windows\system32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\windows\Explorer.EXE C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\WLTRAY.exe C:\windows\stsystra.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\windows\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\svcs.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\windows\system32\notepad.exe C:\windows\system32\wuauclt.exe C:\windows\System32\ping.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe . ============== Pseudo HJT Report =============== . uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File {555d4d79-4bd2-4094-a395-cfc534424a05} uRun: [Google Update] "c:\documents and settings\bcarsto\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [NWEReboot] mRun: [seagull Drivers] ssdal_nc.exe startup mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: mswsock.dll Trusted Zone: dyndns.info\emsweb Trusted Zone: hazox.com\vpn Trusted Zone: intuit.com\ttlc Trusted Zone: localhost Trusted Zone: ts4 Trusted Zone: turbotax.com Trusted Zone: vertellus.com\mycow DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182273289609 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182273258609 DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://ts3/viewer/ActiveXViewer/CRViewer.dll DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://connect.vwr.com/downloads/VMware-viewclient.cab DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/webex/ieatgpc.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.us.henkel.com/dana-cached/setup/JuniperSetupSP1.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.us.henkel.com/dana-cached/sc/JuniperSetupClient.cab TCP: DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 TCP: Interfaces\{55998922-994C-4034-B7C9-4FFFA62E8241} : DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\bcarsto\application data\mozilla\firefox\profiles\hjzswzir.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2 FF - plugin: c:\documents and settings\bcarsto\application data\mozilla\plugins\npatgpc.dll FF - plugin: c:\documents and settings\bcarsto\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npstloader.dll FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Ext: XUL Cache: {1b669e51-7af0-4aec-bcfa-8414277b0396} - %profile%\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-18 366152] R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2011-3-17 29261152] R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-11-24 508928] R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2008-11-5 147456] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-18 22216] R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-5-10 17632] R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [2010-4-5 18656] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872] S3 Label Print;EMS Label Print;c:\hazox\emsrvr40\labelp~1\emslab~2.exe --> c:\hazox\emsrvr40\labelp~1\EMSLAB~2.EXE [?] S3 Label;EMS Label;c:\hazox\emsrvr40\labels~1\emslab~2.exe --> c:\hazox\emsrvr40\labels~1\EMSLAB~2.EXE [?] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880] S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2011-3-17 202592] S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\microsoft sql server\mssql.2\reporting services\reportserver\bin\ReportingServicesService.exe [2011-3-17 13664] S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?] S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2008-11-24 346976] S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000] . =============== File Associations =============== . .txt=TextPad.txt . =============== Created Last 30 ================ . 2011-11-24 15:18:23 508928 ----a-w- c:\windows\svcs.exe 2011-11-24 14:42:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-11-22 01:51:21 -------- d-----w- c:\documents and settings\all users\application data\PC Tools 2011-11-21 02:58:08 -------- d-----w- c:\documents and settings\bcarsto\application data\Tific 2011-11-21 02:57:37 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\Symantec 2011-11-20 00:22:22 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\NPE 2011-11-19 01:52:31 -------- d-----w- c:\documents and settings\bcarsto\application data\Malwarebytes 2011-11-19 01:51:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-11-19 01:51:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-19 01:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\TVrrllOBtxP0cSi 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\tLL99hTXqjUClIr 2011-11-18 23:37:09 -------- d-----w- c:\program files\F1B49 2011-11-18 23:36:26 -------- d-----w- c:\program files\LP 2011-11-18 23:36:26 -------- d-----w- c:\documents and settings\bcarsto\application data\207F1 2011-11-18 23:36:23 -------- d-----w- c:\documents and settings\bcarsto\application data\QQQJJ6dEK8f 2011-11-18 23:36:22 -------- d-----w- c:\documents and settings\bcarsto\application data\CAA00uvS2ibFpm5 2011-11-18 23:36:16 -------- d-----w- c:\documents and settings\bcarsto\application data\neeekIIBrzOy 2011-11-18 23:36:15 -------- d-----w- c:\documents and settings\bcarsto\application data\qQQJJ6dEK8fR9hX 2011-11-15 22:57:21 -------- d-----w- c:\program files\Winmail Reader . ==================== Find3M ==================== . 2011-11-16 13:25:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-19 13:07:16 216064 ----a-w- c:\windows\iun3405.exe 2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 9:50:47.09 ===============