mjm1
-
Posts
17 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by mjm1
-
Ok, done. Firewall got another hit from "Deepthroat" a little while ago, but the attacks/hits/pings seem to be slowing down. Thanks for all your help, and will report back if/when I find something out, or have questions.
-
No, but after I get to the bottom of this firewall attack business, I will take a hard look at getting it. I am not happy with Symantec not catching anything, even after full scans. I do realize one can't catch everything - Seems Symantec firewall has a default rule blocking all of these oddball ports associated with these trojans. Will try to contact them about it. I'll take a look at your firewall as well. Thanks!
-
OK, although I am thinking of dumping Symantec altogether because they didn't catch the trojans. Could also just be port scans or some such - haven't a clue, but if they are trojans reacting to some message my computer is putting out, it is probably just a matter of time before one slips through an unwatched port. Thanks for all you have done thus far, much appreciated!
-
Report below. The firewall alerts are what tipped me off to an infection, which turned out to be (?) win32/Agent.SZW and Vondu. Firewall shows multiple inbound trojan ports being used, as mentioned above. Even after I got rid of the Agent and Vondu, I am still getting them every 5-6-7 hours. Thanks! MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Professional Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x0001e07c Kernel Drivers (total 166): 0x804D7000 \WINDOWS\system32\ntkrnlpa.exe 0x806E5000 \WINDOWS\system32\hal.dll 0xBA5A8000 \WINDOWS\system32\KDCOM.DLL 0xBA4B8000 \WINDOWS\system32\BOOTVID.dll 0xBA0A8000 pofy.sys 0xB9F79000 ACPI.sys 0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xB9F68000 pci.sys 0xBA0B8000 isapnp.sys 0xBA0C8000 ohci1394.sys 0xBA0D8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS 0xBA670000 pciide.sys 0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xBA0E8000 MountMgr.sys 0xB9F49000 ftdisk.sys 0xBA5B0000 dmload.sys 0xB9F23000 dmio.sys 0xBA330000 PartMgr.sys 0xBA0F8000 VolSnap.sys 0xB9E36000 atapi.sys 0xBA4BC000 SC247XF.sys 0xB9E1E000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS 0xBA108000 disk.sys 0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xB9DD9000 fltmgr.sys 0xB9DC7000 sr.sys 0xBA128000 PxHelp20.sys 0xB9DB0000 KSecDD.sys 0xB9D23000 Ntfs.sys 0xB9CF6000 NDIS.sys 0xB9CDC000 Mup.sys 0xBA1E8000 \SystemRoot\system32\DRIVERS\AmdK8.sys 0xBA3A8000 \SystemRoot\system32\DRIVERS\aracpi.sys 0xB9B46000 \SystemRoot\system32\DRIVERS\ati2mtag.sys 0xB9B32000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xBA3B0000 \SystemRoot\system32\DRIVERS\usbohci.sys 0xB9B0E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xBA3B8000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xBA1F8000 \SystemRoot\system32\DRIVERS\imapi.sys 0xBA3C0000 \SystemRoot\System32\Drivers\ASAPIW2K.sys 0xBA55C000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS 0xBA208000 \SystemRoot\system32\DRIVERS\cdrom.sys 0xBA218000 \SystemRoot\system32\DRIVERS\redbook.sys 0xB9AEB000 \SystemRoot\system32\DRIVERS\ks.sys 0xBA3C8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys 0xB99CE000 \SystemRoot\system32\DRIVERS\AGRSM.sys 0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xBA3D0000 \SystemRoot\System32\Drivers\Modem.SYS 0xB99AE000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys 0xBA228000 \SystemRoot\system32\DRIVERS\nic1394.sys 0xB95F1000 \SystemRoot\system32\drivers\ALCXWDM.SYS 0xB95CD000 \SystemRoot\system32\drivers\portcls.sys 0xBA248000 \SystemRoot\system32\drivers\drmk.sys 0xB95B9000 \SystemRoot\system32\DRIVERS\parport.sys 0xBA570000 \SystemRoot\system32\DRIVERS\arpolicy.sys 0xBA6BE000 \SystemRoot\system32\DRIVERS\audstub.sys 0xBA2A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xB957A000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xBA2B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xBA2C8000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xBA3D8000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xB9569000 \SystemRoot\system32\DRIVERS\psched.sys 0xBA2D8000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xBA3E0000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xBA3E8000 \SystemRoot\system32\DRIVERS\raspti.sys 0xB94AE000 \SystemRoot\system32\DRIVERS\vna.sys 0xB947E000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0xBA2F8000 \SystemRoot\system32\DRIVERS\termdd.sys 0xBA3F0000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xBA5C4000 \SystemRoot\system32\DRIVERS\swenum.sys 0xB9420000 \SystemRoot\system32\DRIVERS\update.sys 0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xBA308000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xBA168000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xB5358000 \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys 0xB5336000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 0xB5322000 \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys 0xBA420000 \SystemRoot\system32\DRIVERS\usbccgp.sys 0xBA1A8000 \SystemRoot\system32\drivers\LVUSBSta.sys 0xBA550000 \SystemRoot\system32\DRIVERS\usbscan.sys 0xBA428000 \SystemRoot\system32\DRIVERS\usbprint.sys 0xBA430000 \SystemRoot\system32\DRIVERS\HPZius12.sys 0xBA438000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS 0xBA1B8000 \SystemRoot\system32\DRIVERS\HPZid412.sys 0xB4B1E000 \SystemRoot\system32\DRIVERS\lvuvc.sys 0xB4B03000 \SystemRoot\system32\DRIVERS\lvpopflt.sys 0xBA1C8000 \SystemRoot\system32\drivers\usbaudio.sys 0xB4AC3000 \SystemRoot\system32\DRIVERS\lvrs.sys 0xBA554000 \SystemRoot\system32\DRIVERS\HPZipr12.sys 0xBA5D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xBA788000 \SystemRoot\System32\Drivers\Null.SYS 0xBA5D6000 \SystemRoot\System32\Drivers\Beep.SYS 0xBA450000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0xBA458000 \SystemRoot\System32\drivers\vga.sys 0xBA5EA000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xBA5EC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xBA460000 \SystemRoot\System32\Drivers\Msfs.SYS 0xBA468000 \SystemRoot\System32\Drivers\Npfs.SYS 0xB9599000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xB49F0000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xB4997000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xB497F000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_710_19757.SYS 0xB4959000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xBA258000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xB491E000 \SystemRoot\System32\Drivers\SYMTDI.SYS 0xB9418000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS 0xBA278000 \SystemRoot\system32\DRIVERS\arp1394.sys 0xBA288000 \SystemRoot\System32\Drivers\SYMREDRV.SYS 0xBA470000 \SystemRoot\System32\Drivers\SYMDNS.SYS 0xB9410000 \SystemRoot\system32\DRIVERS\hidusb.sys 0xBA298000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0xB9559000 \SystemRoot\System32\Drivers\SYMNDIS.SYS 0xBA478000 \SystemRoot\system32\DRIVERS\arhidfltr.sys 0xB48CD000 \SystemRoot\System32\Drivers\SYMFW.SYS 0xB9408000 \SystemRoot\system32\DRIVERS\mouhid.sys 0xB9549000 \SystemRoot\System32\Drivers\SYMIDS.SYS 0xBA5F4000 \SystemRoot\system32\DRIVERS\armoucfltr.sys 0xB4886000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20120223.001\symidsco.sys 0xB9404000 \SystemRoot\system32\DRIVERS\kbdhid.sys 0xBA5F8000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys 0xB485E000 \SystemRoot\system32\DRIVERS\netbt.sys 0xB483C000 \SystemRoot\System32\drivers\afd.sys 0xB9539000 \SystemRoot\system32\DRIVERS\netbios.sys 0xB47DA000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 0xB47AF000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xB93FC000 \??\C:\WINDOWS\system32\drivers\pclepci.sys 0xB473F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xB9519000 \SystemRoot\System32\Drivers\Fips.SYS 0xB46E1000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 0xB46C3000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 0xB4677000 \SystemRoot\System32\Drivers\Fastfat.SYS 0xB465F000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xBA604000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xB53B4000 \SystemRoot\System32\drivers\Dxapi.sys 0xBA498000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xBA7DA000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF012000 \SystemRoot\System32\ati2dvag.dll 0xBF051000 \SystemRoot\System32\ati2cqag.dll 0xBF08A000 \SystemRoot\System32\atikvmag.dll 0xBF0BF000 \SystemRoot\System32\ati3duag.dll 0xBF30C000 \SystemRoot\System32\ativvaxx.dll 0xBF39F000 \SystemRoot\System32\ATMFD.DLL 0xB2319000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys 0xB24DF000 \SystemRoot\system32\DRIVERS\nwlnknb.sys 0xB244B000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xB250F000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys 0xB1CC4000 \SystemRoot\system32\drivers\wdmaud.sys 0xB1E81000 \SystemRoot\system32\drivers\sysaudio.sys 0xB1977000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xB1C9C000 \SystemRoot\System32\Drivers\Aspi32.SYS 0xB1756000 \SystemRoot\System32\Drivers\HTTP.sys 0xB16D6000 \SystemRoot\system32\DRIVERS\srv.sys 0xBA4A8000 \SystemRoot\system32\Drivers\LVPr2Mon.sys 0xB127E000 \SystemRoot\System32\Drivers\Cdfs.SYS 0xB06CE000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120225.008\navex15.sys 0xB068F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120225.008\naveng.sys 0xBA636000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 0xBA338000 \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys 0xAFC71000 \??\c:\windows\system32\drivers\TrueSight.sys 0xAFD60000 \SystemRoot\system32\DRIVERS\SCR3XX2K.sys 0xAF815000 \SystemRoot\system32\drivers\kmixer.sys 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 83): 0 System Idle Process 4 System 848 C:\WINDOWS\system32\smss.exe 912 csrss.exe 956 C:\WINDOWS\system32\winlogon.exe 1000 C:\WINDOWS\system32\services.exe 1012 C:\WINDOWS\system32\lsass.exe 1176 C:\WINDOWS\system32\ati2evxx.exe 1192 C:\WINDOWS\system32\svchost.exe 1252 svchost.exe 1396 C:\WINDOWS\system32\svchost.exe 1592 svchost.exe 1712 svchost.exe 1760 acevents.exe 436 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe 672 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 904 C:\WINDOWS\system32\ati2evxx.exe 1376 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe 1500 C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe 1576 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe 1668 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe 1956 C:\WINDOWS\system32\spoolsv.exe 2000 C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe 2040 scardsvr.exe 276 svchost.exe 320 C:\Program Files\LSI SoftModem\agrsmsvc.exe 504 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe 828 C:\WINDOWS\arservice.exe 576 C:\Program Files\Bonjour\mDNSResponder.exe 544 C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe 584 C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe 1452 C:\WINDOWS\ehome\ehrecvr.exe 720 C:\WINDOWS\ehome\ehSched.exe 2228 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe 2300 C:\Program Files\Java\jre6\bin\jqs.exe 2376 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe 2572 C:\Program Files\Common Files\LightScribe\LSSrvc.exe 2672 C:\Program Files\Common Files\Motive\McciCMService.exe 2724 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 2756 C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE 2916 C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe 2944 C:\WINDOWS\system32\svchost.exe 2992 C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe 3004 C:\WINDOWS\system32\svchost.exe 3040 svchost.exe 3052 C:\WINDOWS\system32\svchost.exe 3232 C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe 3468 C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe 3636 C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe 3692 C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe 3812 C:\WINDOWS\system32\wwSecure.exe 3856 mcrdsvc.exe 3952 C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe 4044 C:\Program Files\Western Digital\WD SmartWare\WDFME.exe 3436 C:\WINDOWS\system32\dllhost.exe 1844 alg.exe 648 C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe 3132 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe 1276 C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE 3488 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe 3676 C:\WINDOWS\ehome\ehtray.exe 464 C:\Program Files\Common Files\Symantec Shared\ccApp.exe 2088 C:\hp\KBD\kbd.exe 2440 C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe 2620 C:\WINDOWS\ehome\ehmsas.exe 2924 C:\Program Files\ActivIdentity\ActivClient\acevents.exe 2280 C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe 3348 C:\Program Files\Real\RealPlayer\Update\realsched.exe 3864 C:\Program Files\Common Files\Java\Java Update\jusched.exe 4260 C:\Program Files\iTunes\iTunesHelper.exe 4300 C:\WINDOWS\system32\ctfmon.exe 4484 C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe 5160 C:\WINDOWS\system32\svchost.exe 5836 C:\Program Files\iPod\bin\iPodService.exe 432 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe 4252 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe 5272 C:\WINDOWS\ALCXMNTR.EXE 2120 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe 4768 C:\WINDOWS\system\hpsysdrv.exe 5376 C:\WINDOWS\explorer.exe 1948 C:\WINDOWS\system32\notepad.exe 5224 C:\WINDOWS\system32\notepad.exe 5988 C:\Documents and Settings\HP_Administrator\Desktop\Pictures For Mike\New Folder\New Folder\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`207b8000 (NTFS) \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32) PhysicalDrive0 Model Number: WDCWD2500JS-60MHB1, Rev: 10.02E02 Size Device Name MBR Status -------------------------------------------- 232 GB \\.\PhysicalDrive0 Legit MBR code detected SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972 Done!
-
Yes, log entry below (I redacted IP). I'll run the check now. Details: Rule "Default Block Rat Trojan horse" blocked (LORI_II(redacted),2989). Inbound UDP packet. Local address,service is (localhost,2989). Remote address,service is (LORI_II(redacted),2989). Process name is "N/A".
-
Report below. My firewall shows an attack by "RAT" trojan at 10:53 AM today (EST). Hopefully that is the end of that. Can you tell me what causes this, and whether I should install a "clean" MBR after getting rid of the win32/Agent. SZW trojan? Please advise. Thanks. Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.02.29.03 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 HP_Administrator :: LORI_II [administrator] 2/29/2012 1:05:42 PM mbam-log-2012-02-29 (13-05-42).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 205738 Time elapsed: 20 minute(s), 36 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
-
Seems my virsu scan didn't turn off in a timely manner - please advise whether you want me to run this again, and with another script - ComboFix 12-02-29.01 - HP_Administrator 02/29/2012 12:03:44.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.497 [GMT -5:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187} . . ((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 ))))))))))))))))))))))))))))))) . . 2012-02-29 15:05 . 2012-02-29 15:07 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-02-28 02:55 . 2012-02-28 02:55 -------- d-----w- c:\program files\ESET 2012-02-27 22:14 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-02-27 22:14 . 2012-02-27 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE 2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes 2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-02-16 00:09 . 2012-02-16 00:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital 2012-02-15 23:36 . 2012-02-15 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2012-02-15 23:34 . 2012-02-15 23:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2012-02-15 22:53 . 2012-02-15 23:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\MYPOINTS 2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\FCTB000060497 2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine 2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer 2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital 2012-02-15 22:49 . 2012-02-15 22:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer 2012-02-15 22:46 . 2012-02-15 22:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2012-02-15 20:56 . 2011-02-16 22:52 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys 2012-02-15 19:31 . 2012-02-17 20:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western_Digital 2012-02-15 18:52 . 2012-02-15 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital 2012-02-15 18:50 . 2012-02-15 20:55 -------- d-----w- c:\program files\Western Digital 2012-02-15 18:50 . 2012-02-15 19:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western Digital 2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll 2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll 2012-02-09 15:31 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2012-02-09 15:31 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2012-02-09 15:29 . 2012-02-09 15:29 -------- d-----w- c:\program files\iPod 2012-02-09 15:28 . 2012-02-09 15:31 -------- d-----w- c:\program files\iTunes 2012-02-09 15:22 . 2012-02-09 15:22 -------- d-----w- c:\program files\Bonjour . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-12 16:53 . 2004-08-10 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys 2011-12-21 16:45 . 2011-12-21 16:46 723294 ----a-w- c:\windows\unins000.exe 2011-12-17 19:46 . 2004-08-10 05:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-12-17 19:46 . 2004-08-10 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-12-17 19:46 . 2004-08-10 05:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-12-16 12:22 . 2004-08-10 05:00 385024 ----a-w- c:\windows\system32\html.iec 2008-06-04 12:51 . 2008-06-04 12:29 5553 ----a-w- c:\program files\Common Files\acbackupreg.reg 2011-11-20 18:24 . 2011-06-10 16:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2004-08-10 05:00 94784 --sha-w- c:\windows\twain.dll 2008-04-14 00:12 50688 --sha-w- c:\windows\twain_32.dll 2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll 2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll 2010-12-20 17:32 551936 --sha-w- c:\windows\system32\oleaut32.dll 2008-04-14 00:12 11776 --sha-w- c:\windows\system32\regsvr32.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1] @="{B976888E-DC7B-456C-A62F-44EA07ED231F}" [HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}] 2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2] @="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}" [HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}] 2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 125632] "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016] "ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640] "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-10 273528] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736] . c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ hpqtra08.exe [2008-3-25 214360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2009-06-03 20:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2009-06-03 20:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon] 2001-08-27 15:52 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6] 2008-06-10 20:18 785520 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] 2008-10-11 15:46 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "hpqddsvc"=2 (0x2) "VaultClientSRV"=2 (0x2) "VaultClientUpgrade"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\studio.exe"= "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"= "c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"= "c:\\Program Files\\ASUS\\RT-N12 Wireless Router Utilities\\Discovery.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [9/13/2001 4:47 PM 14223] R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [1/25/2012 3:54 PM 85064] R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 3:16 PM 207400] R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [9/26/2005 10:28 AM 258146] R2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE [7/15/1997 136704] R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [3/15/2011 3:35 PM 61440] R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WDDMService.exe [8/1/2011 10:11 AM 263056] R2 WDFMEService;WDFMEService;c:\program files\Western Digital\WD SmartWare\WDFME.exe [8/1/2011 10:11 AM 1592208] R2 WDRulesService;WDRulesService;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [8/1/2011 10:11 AM 1091984] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 8:41 PM 106104] R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 10:19 PM 57856] R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/26/2005 10:28 AM 108400] S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [7/8/2010 9:28 PM 149376] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176] S2 McciServiceHost;McciServiceHost;"c:\program files\Common Files\Motive\McciServiceHost.exe" --> c:\program files\Common Files\Motive\McciServiceHost.exe [?] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [5/29/2011 1:56 PM 18560] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176] S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [5/29/2011 1:53 PM 33792] S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/29/2004 1:26 AM 49024] S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 6:48 PM 116416] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/15/2012 3:56 PM 11520] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504] S4 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe [10/8/2008 4:45 PM 981456] S4 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe [10/8/2008 4:45 PM 55760] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - TRUESIGHT *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-02-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29] . 2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29] . 2012-02-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-640800275-3246585749-3817686294-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-640800275-3246585749-3817686294-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-02-29 c:\windows\Tasks\User_Feed_Synchronization-{D5FE06CA-FC11-44AE-9267-AE6C7025BC83}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm Trusted Zone: $talisma_url$ Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.1.254 DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q= . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-29 12:18 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-640800275-3246585749-3817686294-1008\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(956) c:\program files\ActivIdentity\ActivClient\ackpbsc.dll c:\program files\ActivIdentity\ActivClient\aclog.dll c:\program files\ActivIdentity\ActivClient\accrypto.dll c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll c:\program files\ActivIdentity\ActivClient\acevtsub.dll c:\program files\ActivIdentity\ActivClient\asphat32.dll c:\program files\ActivIdentity\ActivClient\acerrmes.dll c:\program files\ActivIdentity\ActivClient\aiwinext.dll c:\program files\ActivIdentity\ActivClient\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\program files\ActivIdentity\ActivClient\aipingui.dll c:\program files\ActivIdentity\ActivClient\aicext.dll c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll c:\program files\ActivIdentity\ActivClient\accsp.dll c:\program files\ActivIdentity\ActivClient\Resources\accsprc.dll c:\program files\ActivIdentity\ActivClient\acjscrfs.dll c:\program files\Common Files\ActivIdentity\ac.sharedstoreps.dll c:\program files\ActivIdentity\ActivClient\acjvscv2.dll c:\program files\ActivIdentity\ActivClient\Resources\acjsc2rc.dll . - - - - - - - > 'explorer.exe'(5376) c:\windows\system32\WININET.dll c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll c:\program files\Cox\Media Store and Share Backup Manager\LIBEXPAT.dll c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2012-02-29 12:24:09 ComboFix-quarantined-files.txt 2012-02-29 17:24 ComboFix2.txt 2012-02-29 16:31 ComboFix3.txt 2012-02-29 14:58 . Pre-Run: 90,046,509,056 bytes free Post-Run: 90,019,422,208 bytes free . - - End Of File - - D5E4B18CC1C09A0AE7155131C984D6A5
-
No reboot required. I deleted a couple of dlls manually before I saw your reply. CF report follows: ComboFix 12-02-29.01 - HP_Administrator 02/29/2012 11:07:12.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.247 [GMT -5:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\progra~1\mypoints\mypoints.dll c:\program files\mozilla firefox\plugins\NPcol400.dll c:\program files\mozilla firefox\plugins\npCouponPrinter.dll c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll . . ((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 ))))))))))))))))))))))))))))))) . . 2012-02-29 15:05 . 2012-02-29 15:07 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-02-28 02:55 . 2012-02-28 02:55 -------- d-----w- c:\program files\ESET 2012-02-27 22:14 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-02-27 22:14 . 2012-02-27 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE 2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes 2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-02-16 00:09 . 2012-02-16 00:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital 2012-02-15 23:36 . 2012-02-15 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2012-02-15 23:34 . 2012-02-15 23:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2012-02-15 22:53 . 2012-02-15 23:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\MYPOINTS 2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\FCTB000060497 2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine 2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer 2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital 2012-02-15 22:49 . 2012-02-15 22:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer 2012-02-15 22:46 . 2012-02-15 22:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2012-02-15 20:56 . 2011-02-16 22:52 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys 2012-02-15 19:31 . 2012-02-17 20:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western_Digital 2012-02-15 18:52 . 2012-02-15 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital 2012-02-15 18:50 . 2012-02-15 20:55 -------- d-----w- c:\program files\Western Digital 2012-02-15 18:50 . 2012-02-15 19:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western Digital 2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll 2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll 2012-02-09 15:31 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2012-02-09 15:31 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2012-02-09 15:29 . 2012-02-09 15:29 -------- d-----w- c:\program files\iPod 2012-02-09 15:28 . 2012-02-09 15:31 -------- d-----w- c:\program files\iTunes 2012-02-09 15:22 . 2012-02-09 15:22 -------- d-----w- c:\program files\Bonjour . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-12 16:53 . 2004-08-10 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys 2011-12-21 16:45 . 2011-12-21 16:46 723294 ----a-w- c:\windows\unins000.exe 2011-12-17 19:46 . 2004-08-10 05:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-12-17 19:46 . 2004-08-10 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-12-17 19:46 . 2004-08-10 05:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-12-16 12:22 . 2004-08-10 05:00 385024 ----a-w- c:\windows\system32\html.iec 2008-06-04 12:51 . 2008-06-04 12:29 5553 ----a-w- c:\program files\Common Files\acbackupreg.reg 2011-11-20 18:24 . 2011-06-10 16:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2004-08-10 05:00 94784 --sha-w- c:\windows\twain.dll 2008-04-14 00:12 50688 --sha-w- c:\windows\twain_32.dll 2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll 2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll 2010-12-20 17:32 551936 --sha-w- c:\windows\system32\oleaut32.dll 2008-04-14 00:12 11776 --sha-w- c:\windows\system32\regsvr32.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1] @="{B976888E-DC7B-456C-A62F-44EA07ED231F}" [HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}] 2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2] @="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}" [HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}] 2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 125632] "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016] "ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640] "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-10 273528] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736] . c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ hpqtra08.exe [2008-3-25 214360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2009-06-03 20:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2009-06-03 20:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon] 2001-08-27 15:52 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6] 2008-06-10 20:18 785520 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] 2008-10-11 15:46 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "hpqddsvc"=2 (0x2) "VaultClientSRV"=2 (0x2) "VaultClientUpgrade"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"= "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"= "c:\\Program Files\\MyPoints Point Finder\\TroubleShooter.exe"= "c:\\Program Files\\MyPoints Point Finder\\ToolbarUpdate.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\studio.exe"= "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"= "c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"= "c:\\Program Files\\ASUS\\RT-N12 Wireless Router Utilities\\Discovery.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [9/13/2001 4:47 PM 14223] R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [1/25/2012 3:54 PM 85064] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 8:41 PM 106104] R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 10:19 PM 57856] R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/26/2005 10:28 AM 108400] S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [7/8/2010 9:28 PM 149376] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [5/29/2011 1:56 PM 18560] S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [5/29/2011 1:53 PM 33792] S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/29/2004 1:26 AM 49024] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/15/2012 3:56 PM 11520] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - TRUESIGHT *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-02-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29] . 2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29] . 2012-02-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-640800275-3246585749-3817686294-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-640800275-3246585749-3817686294-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-02-29 c:\windows\Tasks\User_Feed_Synchronization-{D5FE06CA-FC11-44AE-9267-AE6C7025BC83}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm Trusted Zone: $talisma_url$ Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.1.254 DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q= . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-29 11:25 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-640800275-3246585749-3817686294-1008\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(956) c:\program files\ActivIdentity\ActivClient\ackpbsc.dll c:\program files\ActivIdentity\ActivClient\aclog.dll c:\program files\ActivIdentity\ActivClient\accrypto.dll c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll c:\program files\ActivIdentity\ActivClient\acevtsub.dll c:\program files\ActivIdentity\ActivClient\asphat32.dll c:\program files\ActivIdentity\ActivClient\acerrmes.dll c:\program files\ActivIdentity\ActivClient\aiwinext.dll c:\program files\ActivIdentity\ActivClient\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\program files\ActivIdentity\ActivClient\aipingui.dll c:\program files\ActivIdentity\ActivClient\aicext.dll c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll c:\program files\ActivIdentity\ActivClient\accsp.dll c:\program files\ActivIdentity\ActivClient\Resources\accsprc.dll c:\program files\ActivIdentity\ActivClient\acjscrfs.dll c:\program files\Common Files\ActivIdentity\ac.sharedstoreps.dll c:\program files\ActivIdentity\ActivClient\acjvscv2.dll c:\program files\ActivIdentity\ActivClient\Resources\acjsc2rc.dll . Completion time: 2012-02-29 11:31:22 ComboFix-quarantined-files.txt 2012-02-29 16:31 ComboFix2.txt 2012-02-29 14:58 . Pre-Run: 90,045,423,616 bytes free Post-Run: 90,037,608,448 bytes free . - - End Of File - - EC8B7919502938D666F189A290878F69
-
I can get rid of this junk - do I do it manually now, and do a run of something else?
-
Nothing - was just reading your comment above. I got rid of the proxy number, and tried to rerun RK. Guess it doen't matter? -
-
Sorry,I ran CF before I did a restore from RK quarantine folder, and now RK stops midway - please advise. Thanks.
-
CF Report - ComboFix 12-02-29.01 - HP_Administrator 02/29/2012 9:33.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.515 [GMT -5:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\HP_Administrator\Application Data\HPSU_48BitScanUpdate.log c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\searchplugins\bing-zugo.xml c:\documents and settings\HP_Administrator\WINDOWS c:\windows\bwUnin-7.2.0.157-8876480SL.exe c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe c:\windows\kb913800.exe c:\windows\system32\AutoRun.inf c:\windows\system32\BSTIEPrintCtl1.dll c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\drivers\etc\hosts.ics c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini D:\Autorun.inf . . ((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 ))))))))))))))))))))))))))))))) . . 2012-02-28 02:55 . 2012-02-28 02:55 -------- d-----w- c:\program files\ESET 2012-02-27 22:14 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-02-27 22:14 . 2012-02-27 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE 2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes 2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-02-16 00:09 . 2012-02-16 00:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital 2012-02-15 23:36 . 2012-02-15 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2012-02-15 23:34 . 2012-02-15 23:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2012-02-15 22:53 . 2012-02-15 23:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\MYPOINTS 2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\FCTB000060497 2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine 2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer 2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital 2012-02-15 22:49 . 2012-02-15 22:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer 2012-02-15 22:46 . 2012-02-15 22:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2012-02-15 20:56 . 2011-02-16 22:52 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys 2012-02-15 19:31 . 2012-02-17 20:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western_Digital 2012-02-15 18:52 . 2012-02-15 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital 2012-02-15 18:50 . 2012-02-15 20:55 -------- d-----w- c:\program files\Western Digital 2012-02-15 18:50 . 2012-02-15 19:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western Digital 2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll 2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll 2012-02-09 15:31 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2012-02-09 15:31 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2012-02-09 15:29 . 2012-02-09 15:29 -------- d-----w- c:\program files\iPod 2012-02-09 15:28 . 2012-02-09 15:31 -------- d-----w- c:\program files\iTunes 2012-02-09 15:22 . 2012-02-09 15:22 -------- d-----w- c:\program files\Bonjour . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-12 16:53 . 2004-08-10 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys 2011-12-21 16:45 . 2011-12-21 16:46 723294 ----a-w- c:\windows\unins000.exe 2011-12-17 19:46 . 2004-08-10 05:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-12-17 19:46 . 2004-08-10 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-12-17 19:46 . 2004-08-10 05:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-12-16 12:22 . 2004-08-10 05:00 385024 ----a-w- c:\windows\system32\html.iec 2008-06-04 12:51 . 2008-06-04 12:29 5553 ----a-w- c:\program files\Common Files\acbackupreg.reg 2011-11-20 18:24 . 2011-06-10 16:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2004-08-10 05:00 94784 --sha-w- c:\windows\twain.dll 2008-04-14 00:12 50688 --sha-w- c:\windows\twain_32.dll 2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll 2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll 2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll 2010-12-20 17:32 551936 --sha-w- c:\windows\system32\oleaut32.dll 2008-04-14 00:12 84992 --sha-w- c:\windows\system32\olepro32.dll 2008-04-14 00:12 11776 --sha-w- c:\windows\system32\regsvr32.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}] 2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}] 2010-06-20 02:50 1547776 ----a-w- c:\program files\MyPoints Point Finder\Toolbar.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}] 2008-11-23 21:59 1909248 ----a-w- c:\progra~1\mypoints\mypoints.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-11-23 1909248] "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2010-06-20 1547776] . [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}] [HKEY_CLASSES_ROOT\mypoints.MYPOINTS] . [HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}] [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3] [HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}] [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2010-06-20 1547776] . [HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}] [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3] [HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}] [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1] @="{B976888E-DC7B-456C-A62F-44EA07ED231F}" [HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}] 2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2] @="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}" [HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}] 2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 125632] "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016] "ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640] "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-10 273528] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736] . c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ hpqtra08.exe [2008-3-25 214360] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2009-06-03 20:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2009-06-03 20:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon] 2001-08-27 15:52 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6] 2008-06-10 20:18 785520 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] 2008-10-11 15:46 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "hpqddsvc"=2 (0x2) "VaultClientSRV"=2 (0x2) "VaultClientUpgrade"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"= "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"= "c:\\Program Files\\MyPoints Point Finder\\TroubleShooter.exe"= "c:\\Program Files\\MyPoints Point Finder\\ToolbarUpdate.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\studio.exe"= "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"= "c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"= "c:\\Program Files\\ASUS\\RT-N12 Wireless Router Utilities\\Discovery.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [9/13/2001 4:47 PM 14223] R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [1/25/2012 3:54 PM 85064] R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 3:16 PM 207400] R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [9/26/2005 10:28 AM 258146] R2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE [7/15/1997 136704] R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [3/15/2011 3:35 PM 61440] R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WDDMService.exe [8/1/2011 10:11 AM 263056] R2 WDFMEService;WDFMEService;c:\program files\Western Digital\WD SmartWare\WDFME.exe [8/1/2011 10:11 AM 1592208] R2 WDRulesService;WDRulesService;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [8/1/2011 10:11 AM 1091984] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 8:41 PM 106104] R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/26/2005 10:28 AM 108400] S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [7/8/2010 9:28 PM 149376] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176] S2 McciServiceHost;McciServiceHost;"c:\program files\Common Files\Motive\McciServiceHost.exe" --> c:\program files\Common Files\Motive\McciServiceHost.exe [?] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [5/29/2011 1:56 PM 18560] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176] S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [5/29/2011 1:53 PM 33792] S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/29/2004 1:26 AM 49024] S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 6:48 PM 116416] S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 10:19 PM 57856] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/15/2012 3:56 PM 11520] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504] S4 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe [10/8/2008 4:45 PM 981456] S4 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe [10/8/2008 4:45 PM 55760] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - TRUESIGHT *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-02-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29] . 2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29] . 2012-02-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-640800275-3246585749-3817686294-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-640800275-3246585749-3817686294-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40] . 2012-02-29 c:\windows\Tasks\User_Feed_Synchronization-{D5FE06CA-FC11-44AE-9267-AE6C7025BC83}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 118.97.119.164:80 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm Trusted Zone: $talisma_url$ Trusted Zone: turbotax.com TCP: DhcpNameServer = 192.168.1.254 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q= . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKCU-Run-212B679BCC229656D917314ACDE51BAC2EEF83CD._service_run - c:\program files\Google\Chrome\Application\chrome.exe HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe HKLM-Run-PCDrProfiler - (no file) AddRemove-LSI Soft Modem - c:\windows\agrsmdel AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-02-29 09:49 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-640800275-3246585749-3817686294-1008\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(956) c:\program files\ActivIdentity\ActivClient\ackpbsc.dll c:\program files\ActivIdentity\ActivClient\aclog.dll c:\program files\ActivIdentity\ActivClient\accrypto.dll c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll c:\program files\ActivIdentity\ActivClient\acevtsub.dll c:\program files\ActivIdentity\ActivClient\asphat32.dll c:\program files\ActivIdentity\ActivClient\acerrmes.dll c:\program files\ActivIdentity\ActivClient\aiwinext.dll c:\program files\ActivIdentity\ActivClient\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\program files\ActivIdentity\ActivClient\aipingui.dll c:\program files\ActivIdentity\ActivClient\aicext.dll c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll c:\program files\ActivIdentity\ActivClient\accsp.dll c:\program files\ActivIdentity\ActivClient\Resources\accsprc.dll c:\program files\ActivIdentity\ActivClient\acjscrfs.dll c:\program files\Common Files\ActivIdentity\ac.sharedstoreps.dll c:\program files\ActivIdentity\ActivClient\acjvscv2.dll c:\program files\ActivIdentity\ActivClient\Resources\acjsc2rc.dll . Completion time: 2012-02-29 09:58:32 ComboFix-quarantined-files.txt 2012-02-29 14:58 . Pre-Run: 89,913,860,096 bytes free Post-Run: 90,026,016,768 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=3 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons . - - End Of File - - B6A8063C6E345E05E9B0D47535ED85BC
-
That proxy is in my IE, and I do believe I put it there a long time ago, and have not used it since - should I take it out and rerun Rogue?
-
Thanks. Report below. I ran another ESET scan last night, as well as a full MBAM scan last night, and both found nothing. My firewall still reports MasterParadise, DeepThroat and RAT attacks every 6-7 hours. Maybe a clean MBR is needed, after removing the Agent.SZW? TIA. RogueKiller V7.2.0 [02/27/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User: HP_Administrator [Admin rights] Mode: Scan -- Date: 02/29/2012 08:55:25 ¤¤¤ Bad processes: 2 ¤¤¤ [sUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc] [sUSP PATH] JuniperSetupClient.exe -- C:\Documents and Settings\HP_Administrator\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe -> KILLED [TermProc] ¤¤¤ Registry Entries: 5 ¤¤¤ [RANDOMNAME] HKLM\[...]\Run : PinnacleDriverCheck (C:\WINDOWS\system32\\PSDrvCheck.exe) -> FOUND [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (118.97.119.164:80) -> FOUND [HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND [HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD2500JS-60MHB1 +++++ --- User --- [MBR] b978857295c648f7c9e038708e5ddfe0 [bSP] 8a7884da59e414827f91c43dcf324e78 : Toshiba tatooed MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 8711 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 17841600 | Size: 229753 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: HP Photosmart C4280 USB Device +++++ Error reading User MBR! User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1].txt >> RKreport[1].txt
-
I found the log from the first MBAM scan - can't copy and paste it because the computer is offline, but MBAM removed 2 Trojan. Vondu. Thanks.
-
Merged 3 post Hi, My firewall says I am being attacked by: Portal of Doom Master Paradise Deep Throat RAT My firewall is symantic. My AV didn't find anything (up to date), nor did Spybot S+D. I am not experiencing any problems, aside from an extremely slow boot up. My firewall is just keeps going off on those ports associated with the above. Please advise. Thanks. DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30 Run by HP_Administrator at 20:56:56 on 2012-02-27 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.342 [GMT -5:00] . AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe svchost.exe C:\Program Files\LSI SoftModem\agrsmsvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe C:\program files\common files\installshield\updateservice\issch.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe C:\WINDOWS\ARPWRMSG.EXE C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\HP\KBD\KBD.EXE C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe C:\Program Files\ActivIdentity\ActivClient\acevents.exe C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\hpqtra08.exe C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe C:\WINDOWS\system32\wwSecure.exe c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe C:\Program Files\Western Digital\WD SmartWare\WDFME.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe . ============== Pseudo HJT Report =============== . uSearch Page = uSearch Bar = uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = 118.97.119.164:80 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm mSearchAssistant = BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints point finder\Toolbar.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: MYPOINTS: {a057a204-bacc-4d26-cec4-75a487fd6484} - c:\progra~1\mypoints\mypoints.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: MYPOINTS: {a057a204-bacc-4d26-cec4-75a487fd6484} - c:\progra~1\mypoints\mypoints.dll TB: MyPoints Point Finder: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints point finder\Toolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File {555d4d79-4bd2-4094-a395-cfc534424a05} uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [212B679BCC229656D917314ACDE51BAC2EEF83CD._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe" uRunOnce: [index Washer] c:\program files\webroot\washer\WashIdx.exe "HP_Administrator" mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe" mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe" mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe" mRun: [PCDrProfiler] mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdquic~1.lnk - c:\program files\western digital\wd smartware\WDDMStatus.exe IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Trusted Zone: $talisma_url$ Trusted Zone: turbotax.com DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.cox.com/sdccommon/download/tgctlcm.cab DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228247357375 DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://io.dcma.mil/dana-cached/sc/JuniperSetupClient.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243 TCP: Interfaces\{FD46DAA1-DDF8-4A37-9641-AB347B20A235} : DhcpNameServer = 192.168.1.254 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll Notify: ackpbsc - c:\program files\actividentity\activclient\ackpbsc.dll Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\frqeg8v4.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q= FF - prefs.js: network.proxy.socks - 127.0.0.1 FF - prefs.js: network.proxy.socks_port - 9050 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\common files\motive\npMotive.dll FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll . ============= SERVICES / DRIVERS =============== . R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [2001-9-13 14223] R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2010-7-8 149376] R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [2012-1-25 85064] R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968] R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104] R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-11-21 202344] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576] R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2005-9-26 258146] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 MMIndexer;Media Manager Indexer;c:\program files\common files\microsoft shared\media manager\AIRSVCU.EXE [1997-7-15 136704] R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacomd\x86\novacomd.exe [2011-3-15 61440] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2007-3-14 1816768] R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\WDDMService.exe [2011-8-1 263056] R2 WDFMEService;WDFMEService;c:\program files\western digital\wd smartware\WDFME.exe [2011-8-1 1592208] R2 WDRulesService;WDRulesService;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-8-1 1091984] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-10 106104] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120225.008\naveng.sys [2012-2-26 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120225.008\navex15.sys [2012-2-26 1576312] R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-1-6 57856] R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2005-9-26 108400] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176] S2 McciServiceHost;McciServiceHost;"c:\program files\common files\motive\mcciservicehost.exe" --> c:\program files\common files\motive\McciServiceHost.exe [?] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-5-29 18560] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176] S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-5-29 33792] S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2004-3-29 49024] S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2007-3-14 116416] S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-9-30 1087680] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2012-2-15 11520] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S4 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\cox\media store and share backup manager\VaultClientSRV.exe [2008-10-8 981456] S4 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\cox\media store and share backup manager\VaultClientUpgrade.exe [2008-10-8 55760] . =============== Created Last 30 ================ . 2012-02-27 22:14:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-02-27 22:14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-02-27 03:04:36 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\NPE 2012-02-27 03:04:36 -------- d-----w- c:\documents and settings\all users\application data\Norton 2012-02-26 18:16:26 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-02-26 18:16:26 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy 2012-02-25 22:32:14 -------- d-----w- c:\documents and settings\hp_administrator\application data\Malwarebytes 2012-02-25 22:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2012-02-15 20:56:20 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys 2012-02-15 19:31:06 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Western_Digital 2012-02-15 18:52:23 -------- d-----w- c:\documents and settings\all users\application data\Western Digital 2012-02-15 18:50:46 -------- d-----w- c:\program files\Western Digital 2012-02-15 18:50:04 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Western Digital 2012-02-14 21:34:55 3072 ------w- c:\windows\system32\iacenc.dll 2012-02-14 21:34:55 3072 ------w- c:\windows\system32\dllcache\iacenc.dll 2012-02-09 15:31:49 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2012-02-09 15:31:49 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2012-02-09 15:29:22 -------- d-----w- c:\program files\iPod 2012-02-09 15:28:04 -------- d-----w- c:\program files\iTunes 2012-02-09 15:22:02 -------- d-----w- c:\program files\Bonjour . ==================== Find3M ==================== . 2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys 2011-12-21 16:45:39 723294 ----a-w- c:\windows\unins000.exe 2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll 2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec 2008-06-04 12:51:36 5553 ----a-w- c:\program files\common files\acbackupreg.reg 2004-08-10 05:00:00 94784 --sha-w- c:\windows\twain.dll 2008-04-14 00:12:07 50688 --sha-w- c:\windows\twain_32.dll 2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll 2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll 2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll 2010-12-20 17:32:15 551936 --sha-w- c:\windows\system32\oleaut32.dll 2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll 2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe . ============= FINISH: 20:57:38.14 =============== DDS (Ver_2011-08-26.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 2/4/2006 7:49:54 PM System Uptime: 2/27/2012 7:31:28 PM (1 hours ago) . Motherboard: MSI | | AMETHYST-M Processor: AMD Athlon 64 Processor 3800+ | Socket 939 | 2387/200mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 224 GiB total, 84.115 GiB free. D: is FIXED (FAT32) - 8 GiB total, 1.114 GiB free. E: is CDROM () F: is CDROM () G: is Removable N: is Removable O: is Removable P: is Removable Q: is Removable . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP1231: 1/28/2012 10:44:51 AM - System Checkpoint RP1232: 1/29/2012 10:56:31 AM - System Checkpoint RP1233: 1/30/2012 5:33:52 PM - System Checkpoint RP1234: 1/31/2012 5:56:28 PM - System Checkpoint RP1235: 2/1/2012 5:57:33 PM - System Checkpoint RP1236: 2/2/2012 6:56:27 PM - System Checkpoint RP1237: 2/3/2012 7:48:55 PM - System Checkpoint RP1238: 2/4/2012 8:21:34 PM - System Checkpoint RP1239: 2/5/2012 8:30:36 PM - System Checkpoint RP1240: 2/6/2012 10:44:58 PM - System Checkpoint RP1241: 2/7/2012 11:09:53 PM - System Checkpoint RP1242: 2/8/2012 11:29:21 PM - System Checkpoint RP1243: 2/9/2012 10:07:39 AM - Removed iTunes RP1244: 2/9/2012 10:27:27 AM - Installed iTunes RP1245: 2/10/2012 11:19:13 AM - System Checkpoint RP1246: 2/11/2012 11:22:41 AM - System Checkpoint RP1247: 2/12/2012 12:43:44 PM - System Checkpoint RP1248: 2/13/2012 1:03:10 PM - System Checkpoint RP1249: 2/14/2012 2:08:58 PM - System Checkpoint RP1250: 2/15/2012 3:00:20 AM - Software Distribution Service 3.0 RP1251: 2/15/2012 3:24:15 PM - Installed WD Software Upgrader RP1252: 2/16/2012 3:46:24 PM - System Checkpoint RP1253: 2/17/2012 4:39:48 PM - System Checkpoint RP1254: 2/18/2012 5:33:12 PM - System Checkpoint RP1255: 2/19/2012 6:26:35 PM - System Checkpoint RP1256: 2/20/2012 7:35:39 PM - System Checkpoint RP1257: 2/21/2012 8:39:12 PM - System Checkpoint RP1258: 2/22/2012 9:09:54 PM - System Checkpoint RP1259: 2/23/2012 10:05:36 PM - System Checkpoint RP1260: 2/24/2012 10:59:13 PM - System Checkpoint RP1261: 2/25/2012 10:59:33 PM - System Checkpoint RP1262: 2/26/2012 11:31:34 PM - System Checkpoint . ==== Installed Programs ====================== . . 32 Bit HP CIO Components Installer Acrobat.com ActivClient CAC x86 Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Photoshop Elements 2.0 Adobe Reader X (10.1.2) Adobe® Photoshop® Album Starter Edition 3.2 Agere Systems PCI-SV92PP Soft Modem AIO_Scan Amazon MP3 Downloader 1.0.10 Amazon Unbox Video AnswerWorks 4.0 Runtime - English AnswerWorks 5.0 English Runtime Apple Application Support Apple Mobile Device Support Apple Software Update ASUS RT-N12 Wireless Router Utilities ATI Control Panel ATI Display Driver att.net Internet Mail AutoUpdate Bonjour BufferChm C4200 C4200_doccd c4200_Help CameraDrivers CCleaner Check Point SSL Network Extender Compatibility Pack for the 2007 Office system Copy Coupon Printer for Windows cp_LightScribeConfig cp_LightScribePlugin CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 Critical Update for Windows Media Player 11 (KB959772) CustomerResearchQFolder Destination Component Device Installer x86 DeviceDiscovery DeviceManagementQFolder DiscAPI (Studio 10) DivX DocProc DocProcQFolder DVDSmith Movie Backup 1.0.5 Enhanced Multimedia Keyboard Solution eSupportQFolder Family Tree Maker 2005 First Step Guide Garmin City Navigator North America NT 2010.20 Garmin Communicator Plugin Garmin POI Loader Garmin USB Drivers GdiplusUpgrade Google Toolbar for Internet Explorer Google Update Helper GTK2-Runtime H&R Block Basic + Efile 2009 Handbrake 0.9.4 Hardwood Spades High Definition Audio Driver Package - KB888111 Hotfix 2050 for SQL Server 2000 ENU (KB948110) Hotfix 2055 for SQL Server 2000 ENU (KB960082) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Format 11 SDK (KB939209) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB2570791) Hotfix for Windows XP (KB2633952) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) HP Boot Optimizer HP Customer Participation Program 9.0 HP Deskjet Printer Preload HP DigitalMedia Archive HP Imaging Device Functions 9.0 HP OCR Software 9.0 HP Photo Imaging Software HP Photo Printing Software HP PhotoSmart Scanning Software HP Photosmart All-In-One Software 9.0 HP Photosmart Cameras 5.0 HP Photosmart Essential 2.01 HP Photosmart Essential2.01 HP Play [beta] HP Product Assistant HP Product Detection HP Solution Center 9.0 HP Update HPDiagnosticAlert HPProductAssistant HpSdpAppCoreApp HPSSupply ImageMixer VCD2 InterActual Player InterVideo WinDVD Player IrfanView (remove only) iTunes Java Auto Updater Java 6 Update 30 JumpStart Advanced School Time Juniper Networks Cache Cleaner 6.5.0 Juniper Networks Host Checker Juniper Networks Secure Application Manager Juniper Networks, Inc. Setup Client Juniper Terminal Services Client K-Lite Codec Pack 6.8.0 (Standard) LeapFrog Connect LeapFrog LeapPad Explorer Plugin LeapFrog My Pals Plugin LeapFrog Tag Plugin Lexia Reading LightScribe 1.4.52.1 LiveUpdate 3.1 (Symantec Corporation) Logitech Desktop Messenger Logitech Legacy USB Camera Driver Package Logitech QuickCam Driver Package Logitech Vid HD Logitech Webcam Software LSI PCI-SV92PP Soft Modem Macromedia Flash Player Malwarebytes Anti-Malware version 1.60.1.1000 MarketResearch MasterSplitter Program Math Games Media Store and Share Backup Manager Microsoft .NET Framework 1.0 Hotfix (KB2572066) Microsoft .NET Framework 1.0 Hotfix (KB953295) Microsoft .NET Framework 1.0 Hotfix (KB979904) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2656353) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 4 Client Profile Microsoft .NET Framework 4 Extended Microsoft Away Mode Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft Media Manager 1.5 Microsoft National Language Support Downlevel APIs Microsoft Office XP Media Content Microsoft Office XP Professional Microsoft Outlook Web Access S/MIME (2007) Microsoft SQL Server Desktop Engine (PINNACLESYS) Microsoft User-Mode Driver Framework Feature Pack 1.7 Microsoft Visual C++ 2005 Redistributable Microsoft WinUsb 1.0 MobileMe Control Panel Mozilla Firefox 8.0 (x86 en-US) Mozilla Thunderbird (6.0) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) muvee autoProducer unPlugged 1.2 MyPoints Point Finder MyPoints Toolbar MyPoints Toolbar 2.0 Novacomd Octoshape add-in for Adobe Flash Player OLYMPUS CAMEDIA Master 2.5 OpenMG AAC Add-on Module 1.0.00 OpenMG Limited Patch 4.5-06-05-12-01 OpenMG Secure Module 4.5.01 Paint and Create PC-Doctor 5 for Windows PC Inspector File Recovery Pdf995 (installed by H&R Block) PdfEdit995 (installed by H&R Block) Picture Package Music Transfer Pinnacle Instant DVD Recorder Pinnacle MediaServer PS_AIO_ProductContext PS_AIO_Software PS_AIO_Software_min PSSWCORE Quicken 2010 QuickTime RAPID (Studio 10) RealNetworks - Microsoft Visual C++ 2008 Runtime RealPlayer RealUpgrade 1.1 Savings Bond Wizard Scan Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Extended (KB2416472) Security Update for Microsoft .NET Framework 4 Extended (KB2487367) Security Update for Microsoft .NET Framework 4 Extended (KB2656351) Security Update for Microsoft Windows (KB2564958) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2482017) Security Update for Windows Internet Explorer 8 (KB2497640) Security Update for Windows Internet Explorer 8 (KB2510531) Security Update for Windows Internet Explorer 8 (KB2530548) Security Update for Windows Internet Explorer 8 (KB2544521) Security Update for Windows Internet Explorer 8 (KB2559049) Security Update for Windows Internet Explorer 8 (KB2586448) Security Update for Windows Internet Explorer 8 (KB2618444) Security Update for Windows Internet Explorer 8 (KB2647516) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2412687) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476490) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2481109) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB2485663) Security Update for Windows XP (KB2491683) Security Update for Windows XP (KB2503658) Security Update for Windows XP (KB2503665) Security Update for Windows XP (KB2506212) Security Update for Windows XP (KB2506223) Security Update for Windows XP (KB2507618) Security Update for Windows XP (KB2507938) Security Update for Windows XP (KB2508272) Security Update for Windows XP (KB2508429) Security Update for Windows XP (KB2509553) Security Update for Windows XP (KB2511455) Security Update for Windows XP (KB2524375) Security Update for Windows XP (KB2535512) Security Update for Windows XP (KB2536276-v2) Security Update for Windows XP (KB2536276) Security Update for Windows XP (KB2544893-v2) Security Update for Windows XP (KB2544893) Security Update for Windows XP (KB2555917) Security Update for Windows XP (KB2562937) Security Update for Windows XP (KB2566454) Security Update for Windows XP (KB2567053) Security Update for Windows XP (KB2567680) Security Update for Windows XP (KB2570222) Security Update for Windows XP (KB2570947) Security Update for Windows XP (KB2584146) Security Update for Windows XP (KB2585542) Security Update for Windows XP (KB2592799) Security Update for Windows XP (KB2598479) Security Update for Windows XP (KB2603381) Security Update for Windows XP (KB2618451) Security Update for Windows XP (KB2620712) Security Update for Windows XP (KB2624667) Security Update for Windows XP (KB2631813) Security Update for Windows XP (KB2633171) Security Update for Windows XP (KB2639417) Security Update for Windows XP (KB2646524) Security Update for Windows XP (KB2660465) Security Update for Windows XP (KB2661637) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Shop for HP Supplies Skype Click to Call Skype™ 5.5 SmartSound Quicktracks Plugin SolutionCenter Sonic Express Labeler Sonic MyDVD Plus Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager SonicStage 4.0 Sony Picture Utility Sony USB Driver Status Studio 10 Studio 10 Bonus DVD Symantec Client Security Symantec Technical Support Web Controls TaxACT 2010 TaxACT 2011 - 1040 Edition TaxCut Basic + Efile 2008 Toolbox TrayApp TurboTax 2008 TurboTax 2008 WinPerFedFormset TurboTax 2008 WinPerProgramHelp TurboTax 2008 WinPerReleaseEngine TurboTax 2008 WinPerTaxSupport TurboTax 2008 WinPerUserEducation TurboTax 2008 wrapper TurboTax Basic 2006 TurboTax Basic 2007 TurboTax ItsDeductible 2006 UnloadSupport Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft .NET Framework 4 Client Profile (KB2473228) Update for Windows Internet Explorer 8 (KB971180) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB980182) Update for Windows Media Player 10 (KB910393) Update for Windows Media Player 10 (KB913800) Update for Windows Media Player 10 (KB926251) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB2541763) Update for Windows XP (KB2607712) Update for Windows XP (KB2616676) Update for Windows XP (KB2641690) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB953356) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971029) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update Rollup 2 for Windows XP Media Center Edition 2005 Updates from HP (remove only) USB 2.0 Switch Utility Software Use the entry named LeapFrog Connect to uninstall (LeapFrog LeapPad Explorer Plugin) Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin) Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin) VideoToolkit01 Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WD SmartWare WD Software Upgrader WebFldrs XP WebReg WexTech AnswerWorks Window Washer Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0) Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0) Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012) Windows Driver Package - Palm (WinUSB) Palm Devices (10/09/2009 1.0.1) Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Installer Clean Up Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live OneCare safety scanner Windows Media Format 11 runtime Windows Media Player 11 Windows XP Media Center Edition 2005 KB2502898 Windows XP Media Center Edition 2005 KB2619340 Windows XP Media Center Edition 2005 KB2628259 Windows XP Media Center Edition 2005 KB925766 Windows XP Media Center Edition 2005 KB973768 Windows XP Service Pack 3 WinX DVD Copy Pro 2.2.0 WinX DVD Ripper Platinum 6.0.2 WinX HD Video Converter Deluxe 3.10.3 X-Lite 3.0 . ==== Event Viewer Messages From Past Week ======== . 2/27/2012 7:41:01 PM, error: Service Control Manager [7022] - The Pinnacle Systems Media Service service hung on starting. 2/27/2012 7:39:42 PM, error: Service Control Manager [7024] - The Symantec SPBBCSvc service terminated with service-specific error 4294967295 (0xFFFFFFFF). 2/27/2012 7:39:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intuit Update Service service to connect. 2/27/2012 7:39:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect. 2/27/2012 7:39:42 PM, error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 2/27/2012 7:39:42 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 2/27/2012 7:12:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 2/27/2012 6:11:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WDRulesService with arguments "" in order to run the server: {C004E60F-2D62-4BE1-98C4-C39A8046B6BB} 2/27/2012 6:08:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 2/27/2012 6:08:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips ftsata2 iaStor IntelIde IPSec MRxSmb NEOFLTR_710_19757 NetBIOS NetBT ohci1394 PCLEPCI RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip tffsport ViaIde 2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/27/2012 6:07:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 2/27/2012 6:07:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 2/26/2012 2:25:21 PM, error: Service Control Manager [7034] - The LiveUpdate service terminated unexpectedly. It has done this 1 time(s). 2/26/2012 2:20:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2 2/25/2012 6:02:12 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service hpqddsvc with arguments "" in order to run the server: {2C82180E-8C3C-4A1B-BEB1-B9140713E701} 2/25/2012 6:01:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect. 2/25/2012 6:01:40 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 2/25/2012 6:01:39 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435} 2/25/2012 5:58:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2 iaStor IntelIde tffsport ViaIde 2/25/2012 5:57:47 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified. 2/25/2012 5:57:47 PM, error: Service Control Manager [7000] - The McciServiceHost service failed to start due to the following error: The system cannot find the file specified. 2/25/2012 5:55:44 PM, error: ati2mtag [52225] - CPLIB :: Open Session - Failed to load the library 2/22/2012 5:11:02 PM, error: SCardSvr [520] - Smart Card Resource Manager received unrecognized handle from PnP event DBT_DEVICEQUERYREMOVE/dbch_handle . ==== End Of File =========================== Forgot to say that MBAM did find 2 "trojans", but apparently not the ones listed. Sorry, but I didn't keep the log. After restart, I ran it again and got the below. My firewall is still being attacked. Thanks. Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.02.27.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 HP_Administrator :: LORI_II [administrator] 2/27/2012 5:38:06 PM mbam-log-2012-02-27 (17-38-06).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 206472 Time elapsed: 10 minute(s), 53 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) I ran ESET, and it found and deleted a variant of Win32./Agent.szw, out of a tempIMG folder and system restore. Was thaty the problem, and is it fixed? Do I do a reboot? Now I have a "bla" trojan/UDP attacking my firewall, in addition to the others. Please help. Thanks.
-
Hi, I am a newbie, fwiw. Last week, my symantic firewall started warning me that the following trojans were trying to get through: Master of Paradise port 3129 Portal of Doom port 3700 Deep Throat port 2148 RAT port 2989 I ran MBAW, and although it said it found 2 trojans (but didn't identify them) and removed them, I am still getting attacked by the above (or the ports are being attacked). Before I ran MBAM, I ran my updated Symantic AV, and it found nothing. I also ran Spybot and even the new MS MRT, but nothing was found. Any ideas as to what to do next? I am going to go into safe mode and blow out all my temp files manually later. There is also another profile on my comp, so will do the same there. Is it possible this other profile is responsible for these attacks, in that the trojans reside there? It is my wife's computer, and neither of us use the other profile, or haven't in years. We are not in the habit of going to suspicious sites, or running unscanned executables. The whole thing is bizarre. Thanks in advance.