Jump to content

janussea

Members
  • Posts

    5
  • Joined

  • Last visited

Everything posted by janussea

  1. My apologies, I thought I had. Here it is: ComboFix 11-11-30.01 - bcarsto 11/30/2011 12:17:54.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1475 [GMT -5:00] Running from: C:\ComboFix.exe . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\bcarsto\Application Data\JuniperExtXP.exe c:\documents and settings\bcarsto\Application Data\JuniperSetup.exe c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396} c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\chrome.manifest c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\chrome\xulcache.jar c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\defaults\preferences\xulcache.js c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\install.rdf c:\documents and settings\bcarsto\g2mdlhlpx.exe c:\documents and settings\bcarsto\Recent\Thumbs.db c:\documents and settings\bcarsto\Start Menu\Programs\AV Protection 2011 c:\documents and settings\bcarsto\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk c:\documents and settings\bcarsto\WINDOWS c:\documents and settings\mail\~inbox.pst.tmp c:\program files\LP c:\program files\LP\D0C2\4.tmp c:\program files\LP\D0C2\57.tmp c:\program files\LP\D0C2\59.tmp C:\Thumbs.db c:\windows\$NtUninstallKB45751$ c:\windows\$NtUninstallKB45751$\3265949725\@ c:\windows\$NtUninstallKB45751$\3265949725\bckfg.tmp c:\windows\$NtUninstallKB45751$\3265949725\cfg.ini c:\windows\$NtUninstallKB45751$\3265949725\Desktop.ini c:\windows\$NtUninstallKB45751$\3265949725\keywords c:\windows\$NtUninstallKB45751$\3265949725\kwrd.dll c:\windows\$NtUninstallKB45751$\3265949725\L\lfisamud c:\windows\$NtUninstallKB45751$\3265949725\lsflt7.ver c:\windows\$NtUninstallKB45751$\3265949725\U\00000001.@ c:\windows\$NtUninstallKB45751$\3265949725\U\00000002.@ c:\windows\$NtUninstallKB45751$\3265949725\U\00000004.@ c:\windows\$NtUninstallKB45751$\3265949725\U\80000000.@ c:\windows\$NtUninstallKB45751$\3265949725\U\80000004.@ c:\windows\$NtUninstallKB45751$\3265949725\U\80000032.@ c:\windows\$NtUninstallKB45751$\979825987 c:\windows\CSC\d6 c:\windows\dasetup.log c:\windows\svcs.exe c:\windows\system32\Cache c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\PowerToyReadme.htm c:\windows\system32\usmt\migwiz_a.exe . Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_RkHit -------\Legacy_NetworkLog -------\Service_NetworkLog . . ((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 ))))))))))))))))))))))))))))))) . . 2011-11-30 16:44 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys 2011-11-22 01:51 . 2011-11-22 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2011-11-21 02:58 . 2011-11-21 02:58 -------- d-----w- c:\documents and settings\bcarsto\Application Data\Tific 2011-11-21 02:57 . 2011-11-21 02:57 -------- d-----w- c:\documents and settings\bcarsto\Local Settings\Application Data\Symantec 2011-11-21 01:20 . 2011-11-21 01:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE 2011-11-20 01:47 . 2011-11-20 01:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2011-11-20 01:46 . 2011-11-20 01:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache 2011-11-20 01:45 . 2011-11-20 01:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Juniper Networks 2011-11-20 00:22 . 2011-11-21 01:44 -------- d-----w- c:\documents and settings\bcarsto\Local Settings\Application Data\NPE 2011-11-19 12:24 . 2011-11-19 12:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ID Vault 2011-11-19 12:24 . 2011-11-19 12:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault 2011-11-19 01:52 . 2011-11-19 01:52 -------- d-----w- c:\documents and settings\bcarsto\Application Data\Malwarebytes 2011-11-19 01:51 . 2011-11-19 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-19 01:51 . 2011-11-19 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-19 01:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-19 01:07 . 2011-11-19 01:07 -------- d-----w- c:\documents and settings\bcarsto\Application Data\tLL99hTXqjUClIr 2011-11-19 01:07 . 2011-11-19 01:07 -------- d-----w- c:\documents and settings\bcarsto\Application Data\TVrrllOBtxP0cSi 2011-11-18 23:37 . 2011-11-19 02:28 -------- d-----w- c:\program files\F1B49 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\207F1 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\QQQJJ6dEK8f 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\CAA00uvS2ibFpm5 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\neeekIIBrzOy 2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\qQQJJ6dEK8fR9hX 2011-11-15 22:57 . 2011-11-15 22:57 -------- d-----w- c:\program files\Winmail Reader . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-16 13:25 . 2011-05-18 11:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-19 13:07 . 2011-10-17 20:03 216064 ----a-w- c:\windows\iun3405.exe 2011-10-10 14:22 . 2007-06-18 23:44 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41 . 2007-10-09 17:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2009-03-13 16:28 . 2009-03-13 16:28 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2009-03-13 16:28 . 2009-03-13 16:28 107936 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll 2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll 2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll 2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll 2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll 2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll 2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll 2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll 2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll 2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Seagull Drivers"="ssdal_nc.exe startup" [X] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-10-20 6144] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys] @="" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Dialer (OnStartup).lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk backup=c:\windows\pss\VPN Dialer (OnStartup).lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] 2006-01-02 21:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] 2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] 2007-10-25 20:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] 2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2006-11-05 15:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2004-02-23 03:44 32881 ----a-w- c:\program files\Business Objects\JRE\bin\jusched.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Visual Studio .NET 2003\\Common7\\IDE\\devenv.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Telerik\\RadControls for ASP.NET AJAX Q2 2010\\Live Demos\\StartExamples.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"= "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"= "c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Telerik\\RadControls for ASP.NET AJAX Q1 2011\\Live Demos\\StartExamples.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6160:TCP"= 6160:TCP:Seagull Driver Networking . R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 10:23 PM 64160] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/18/2011 8:51 PM 366152] R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3/17/2011 6:08 PM 29261152] R2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [11/5/2008 4:49 PM 147456] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/18/2011 8:51 PM 22216] R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [5/10/2007 1:54 PM 17632] R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [4/5/2010 1:07 PM 18656] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 Label Print;EMS Label Print;c:\hazox\EMSRVR40\LABELP~1\EMSLAB~2.EXE --> c:\hazox\EMSRVR40\LABELP~1\EMSLAB~2.EXE [?] S3 Label;EMS Label;c:\hazox\EMSRVR40\LABELS~1\EMSLAB~2.EXE --> c:\hazox\EMSRVR40\LABELS~1\EMSLAB~2.EXE [?] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880] S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/17/2011 6:08 PM 202592] S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 8:22 AM 95592] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000] S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [3/17/2011 6:08 PM 13664] S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [11/24/2008 9:31 PM 346976] S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1645522239-839522115-1609Core.job - c:\documents and settings\bcarsto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 01:00] . 2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1645522239-839522115-1609UA.job - c:\documents and settings\bcarsto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 01:00] . 2011-11-30 c:\windows\Tasks\User_Feed_Synchronization-{BB6A73FA-2B80-4959-847F-6148C906F98E}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ------- Supplementary Scan ------- . uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105 Trusted Zone: dyndns.info\emsweb Trusted Zone: hazox.com\vpn Trusted Zone: intuit.com\ttlc Trusted Zone: localhost Trusted Zone: ts4 Trusted Zone: turbotax.com Trusted Zone: vertellus.com\mycow DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab FF - ProfilePath - c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . . ------- File Associations ------- . .txt=TextPad.txt . - - - - ORPHANS REMOVED - - - - . WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) HKLM-Run-NWEReboot - (no file) MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe AddRemove-KB955706_DTS9 - c:\windows\DTS9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_NS9 - c:\windows\NS9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_RS9 - c:\windows\RS9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_SQL9 - c:\windows\SQL9_KB955706_ENU\Hotfix.exe AddRemove-KB955706_SQLTools9 - c:\windows\SQLTools9_KB955706_ENU\Hotfix.exe AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-30 13:12 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\prefs.js.BAK 41924 bytes . scan completed successfully hidden files: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql$SQL2005] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2005" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1409082233-1645522239-839522115-1609\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1156) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(6240) c:\windows\system32\WININET.dll c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll c:\program files\TortoiseSVN\bin\TortoiseStub.dll c:\program files\TortoiseSVN\bin\TortoiseSVN.dll c:\program files\TortoiseSVN\bin\intl3_tsvn.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Juniper Networks\Common Files\dsNcService.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\oracle\ora92\bin\omtsreco.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe c:\windows\system32\Ati2evxx.exe c:\program files\TortoiseSVN\bin\TSVNCache.exe c:\windows\stsystra.exe . ************************************************************************** . Completion time: 2011-11-30 13:25:01 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-30 18:24 . Pre-Run: 31,720,448,000 bytes free Post-Run: 32,838,901,760 bytes free . - - End Of File - - C5C3CDAD601DBB779257AF5DB9D138D0
  2. Combofix was not able to install the windows recovery console. It said the master boot record was corrupt, but it continued anyway. The first reboot did not happen after an hour, so I powered down the PC and restart and then combofix continued, did its scan, did the auto reboot and produced a log.
  3. Thanks for the advice Elise. I think I am going to format the hard drive - is it safe for me to copy some data files from the PC before I do or is it possible that anything I copy may have the infection? Rr would u recommend cleaning it first and then copy the files before formatting the drive. Bob
  4. Hello. Malwarebytes is blocking access to malicious website and my firefox is hijacked. Can someone please help me clean this from my PC? . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by bcarsto at 9:42:44 on 2011-11-25 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1026 [GMT -5:00] . . ============== Running Processes =============== . C:\windows\system32\Ati2evxx.exe C:\windows\system32\svchost -k DcomLaunch svchost.exe C:\windows\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\windows\System32\WLTRYSVC.EXE C:\windows\System32\bcmwltry.exe C:\windows\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe C:\windows\system32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\windows\Explorer.EXE C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\WLTRAY.exe C:\windows\stsystra.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\windows\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\svcs.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\windows\system32\notepad.exe C:\windows\system32\wuauclt.exe C:\windows\System32\ping.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe . ============== Pseudo HJT Report =============== . uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File {555d4d79-4bd2-4094-a395-cfc534424a05} uRun: [Google Update] "c:\documents and settings\bcarsto\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [NWEReboot] mRun: [seagull Drivers] ssdal_nc.exe startup mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: mswsock.dll Trusted Zone: dyndns.info\emsweb Trusted Zone: hazox.com\vpn Trusted Zone: intuit.com\ttlc Trusted Zone: localhost Trusted Zone: ts4 Trusted Zone: turbotax.com Trusted Zone: vertellus.com\mycow DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182273289609 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182273258609 DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://ts3/viewer/ActiveXViewer/CRViewer.dll DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://connect.vwr.com/downloads/VMware-viewclient.cab DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/webex/ieatgpc.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.us.henkel.com/dana-cached/setup/JuniperSetupSP1.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.us.henkel.com/dana-cached/sc/JuniperSetupClient.cab TCP: DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 TCP: Interfaces\{55998922-994C-4034-B7C9-4FFFA62E8241} : DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\bcarsto\application data\mozilla\firefox\profiles\hjzswzir.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2 FF - plugin: c:\documents and settings\bcarsto\application data\mozilla\plugins\npatgpc.dll FF - plugin: c:\documents and settings\bcarsto\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npstloader.dll FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Ext: XUL Cache: {1b669e51-7af0-4aec-bcfa-8414277b0396} - %profile%\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-18 366152] R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2011-3-17 29261152] R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-11-24 508928] R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2008-11-5 147456] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-18 22216] R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-5-10 17632] R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [2010-4-5 18656] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872] S3 Label Print;EMS Label Print;c:\hazox\emsrvr40\labelp~1\emslab~2.exe --> c:\hazox\emsrvr40\labelp~1\EMSLAB~2.EXE [?] S3 Label;EMS Label;c:\hazox\emsrvr40\labels~1\emslab~2.exe --> c:\hazox\emsrvr40\labels~1\EMSLAB~2.EXE [?] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880] S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2011-3-17 202592] S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\microsoft sql server\mssql.2\reporting services\reportserver\bin\ReportingServicesService.exe [2011-3-17 13664] S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?] S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2008-11-24 346976] S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000] . =============== File Associations =============== . .txt=TextPad.txt . =============== Created Last 30 ================ . 2011-11-24 15:18:23 508928 ----a-w- c:\windows\svcs.exe 2011-11-24 14:42:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-11-22 01:51:21 -------- d-----w- c:\documents and settings\all users\application data\PC Tools 2011-11-21 02:58:08 -------- d-----w- c:\documents and settings\bcarsto\application data\Tific 2011-11-21 02:57:37 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\Symantec 2011-11-20 00:22:22 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\NPE 2011-11-19 01:52:31 -------- d-----w- c:\documents and settings\bcarsto\application data\Malwarebytes 2011-11-19 01:51:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-11-19 01:51:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-19 01:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\TVrrllOBtxP0cSi 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\tLL99hTXqjUClIr 2011-11-18 23:37:09 -------- d-----w- c:\program files\F1B49 2011-11-18 23:36:26 -------- d-----w- c:\program files\LP 2011-11-18 23:36:26 -------- d-----w- c:\documents and settings\bcarsto\application data\207F1 2011-11-18 23:36:23 -------- d-----w- c:\documents and settings\bcarsto\application data\QQQJJ6dEK8f 2011-11-18 23:36:22 -------- d-----w- c:\documents and settings\bcarsto\application data\CAA00uvS2ibFpm5 2011-11-18 23:36:16 -------- d-----w- c:\documents and settings\bcarsto\application data\neeekIIBrzOy 2011-11-18 23:36:15 -------- d-----w- c:\documents and settings\bcarsto\application data\qQQJJ6dEK8fR9hX 2011-11-15 22:57:21 -------- d-----w- c:\program files\Winmail Reader . ==================== Find3M ==================== . 2011-11-16 13:25:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-19 13:07:16 216064 ----a-w- c:\windows\iun3405.exe 2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 9:50:47.09 ===============
  5. Thanks to malwarebytes for blocking access to malicious site from my PC. Can someone help me rid system from this pest permanently? . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by bcarsto at 9:42:44 on 2011-11-25 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1026 [GMT -5:00] . . ============== Running Processes =============== . C:\windows\system32\Ati2evxx.exe C:\windows\system32\svchost -k DcomLaunch svchost.exe C:\windows\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\windows\System32\WLTRYSVC.EXE C:\windows\System32\bcmwltry.exe C:\windows\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe C:\windows\system32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\windows\Explorer.EXE C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\WLTRAY.exe C:\windows\stsystra.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\windows\system32\ctfmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\windows\svcs.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\windows\system32\notepad.exe C:\windows\system32\wuauclt.exe C:\windows\System32\ping.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe . ============== Pseudo HJT Report =============== . uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File {555d4d79-4bd2-4094-a395-cfc534424a05} uRun: [Google Update] "c:\documents and settings\bcarsto\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [NWEReboot] mRun: [seagull Drivers] ssdal_nc.exe startup mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: mswsock.dll Trusted Zone: dyndns.info\emsweb Trusted Zone: hazox.com\vpn Trusted Zone: intuit.com\ttlc Trusted Zone: localhost Trusted Zone: ts4 Trusted Zone: turbotax.com Trusted Zone: vertellus.com\mycow DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182273289609 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182273258609 DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://ts3/viewer/ActiveXViewer/CRViewer.dll DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://connect.vwr.com/downloads/VMware-viewclient.cab DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/webex/ieatgpc.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.us.henkel.com/dana-cached/setup/JuniperSetupSP1.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.us.henkel.com/dana-cached/sc/JuniperSetupClient.cab TCP: DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 TCP: Interfaces\{55998922-994C-4034-B7C9-4FFFA62E8241} : DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\bcarsto\application data\mozilla\firefox\profiles\hjzswzir.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2 FF - plugin: c:\documents and settings\bcarsto\application data\mozilla\plugins\npatgpc.dll FF - plugin: c:\documents and settings\bcarsto\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npstloader.dll FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250} FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Ext: XUL Cache: {1b669e51-7af0-4aec-bcfa-8414277b0396} - %profile%\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-18 366152] R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2011-3-17 29261152] R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-11-24 508928] R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2008-11-5 147456] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-18 22216] R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-5-10 17632] R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [2010-4-5 18656] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872] S3 Label Print;EMS Label Print;c:\hazox\emsrvr40\labelp~1\emslab~2.exe --> c:\hazox\emsrvr40\labelp~1\EMSLAB~2.EXE [?] S3 Label;EMS Label;c:\hazox\emsrvr40\labels~1\emslab~2.exe --> c:\hazox\emsrvr40\labels~1\EMSLAB~2.EXE [?] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880] S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2011-3-17 202592] S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\microsoft sql server\mssql.2\reporting services\reportserver\bin\ReportingServicesService.exe [2011-3-17 13664] S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?] S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2008-11-24 346976] S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000] . =============== File Associations =============== . .txt=TextPad.txt . =============== Created Last 30 ================ . 2011-11-24 15:18:23 508928 ----a-w- c:\windows\svcs.exe 2011-11-24 14:42:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-11-22 01:51:21 -------- d-----w- c:\documents and settings\all users\application data\PC Tools 2011-11-21 02:58:08 -------- d-----w- c:\documents and settings\bcarsto\application data\Tific 2011-11-21 02:57:37 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\Symantec 2011-11-20 00:22:22 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\NPE 2011-11-19 01:52:31 -------- d-----w- c:\documents and settings\bcarsto\application data\Malwarebytes 2011-11-19 01:51:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-11-19 01:51:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-19 01:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\TVrrllOBtxP0cSi 2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\tLL99hTXqjUClIr 2011-11-18 23:37:09 -------- d-----w- c:\program files\F1B49 2011-11-18 23:36:26 -------- d-----w- c:\program files\LP 2011-11-18 23:36:26 -------- d-----w- c:\documents and settings\bcarsto\application data\207F1 2011-11-18 23:36:23 -------- d-----w- c:\documents and settings\bcarsto\application data\QQQJJ6dEK8f 2011-11-18 23:36:22 -------- d-----w- c:\documents and settings\bcarsto\application data\CAA00uvS2ibFpm5 2011-11-18 23:36:16 -------- d-----w- c:\documents and settings\bcarsto\application data\neeekIIBrzOy 2011-11-18 23:36:15 -------- d-----w- c:\documents and settings\bcarsto\application data\qQQJJ6dEK8fR9hX 2011-11-15 22:57:21 -------- d-----w- c:\program files\Winmail Reader . ==================== Find3M ==================== . 2011-11-16 13:25:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-19 13:07:16 216064 ----a-w- c:\windows\iun3405.exe 2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 9:50:47.09 ===============
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.