mjm1
-
Posts
17 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by mjm1
-
-
This is the firewall I use:
http://www.softpedia...wall-Plus.shtml
Give it a try.
Do you have Malwarebytes Pro installed??
MrC
No, but after I get to the bottom of this firewall attack business, I will take a hard look at getting it. I am not happy with Symantec not catching anything, even after full scans. I do realize one can't catch everything -
Seems Symantec firewall has a default rule blocking all of these oddball ports associated with these trojans. Will try to contact them about it.
I'll take a look at your firewall as well. Thanks!
-
OK, although I am thinking of dumping Symantec altogether because they didn't catch the trojans. Could also just be port scans or some such - haven't a clue, but if they are trojans reacting to some message my computer is putting out, it is probably just a matter of time before one slips through an unwatched port.
Thanks for all you have done thus far, much appreciated!
-
Report below. The firewall alerts are what tipped me off to an infection, which turned out to be (?) win32/Agent.SZW and Vondu. Firewall shows multiple inbound trojan ports being used, as mentioned above. Even after I got rid of the Agent and Vondu, I am still getting them every 5-6-7 hours. Thanks!
MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0001e07c
Kernel Drivers (total 166):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xBA0A8000 pofy.sys
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0B8000 isapnp.sys
0xBA0C8000 ohci1394.sys
0xBA0D8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0E8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B0000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0F8000 VolSnap.sys
0xB9E36000 atapi.sys
0xBA4BC000 SC247XF.sys
0xB9E1E000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DD9000 fltmgr.sys
0xB9DC7000 sr.sys
0xBA128000 PxHelp20.sys
0xB9DB0000 KSecDD.sys
0xB9D23000 Ntfs.sys
0xB9CF6000 NDIS.sys
0xB9CDC000 Mup.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xB9B46000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9B32000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9B0E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA3C0000 \SystemRoot\System32\Drivers\ASAPIW2K.sys
0xBA55C000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xBA208000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA218000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9AEB000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3C8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB99CE000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA3D0000 \SystemRoot\System32\Drivers\Modem.SYS
0xB99AE000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xBA228000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB95F1000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB95CD000 \SystemRoot\system32\drivers\portcls.sys
0xBA248000 \SystemRoot\system32\drivers\drmk.sys
0xB95B9000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA570000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xBA6BE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB957A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9569000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB94AE000 \SystemRoot\system32\DRIVERS\vna.sys
0xB947E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5C4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9420000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA308000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA168000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB5358000 \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys
0xB5336000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xB5322000 \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys
0xBA420000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA1A8000 \SystemRoot\system32\drivers\LVUSBSta.sys
0xBA550000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA428000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA430000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xBA438000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA1B8000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xB4B1E000 \SystemRoot\system32\DRIVERS\lvuvc.sys
0xB4B03000 \SystemRoot\system32\DRIVERS\lvpopflt.sys
0xBA1C8000 \SystemRoot\system32\drivers\usbaudio.sys
0xB4AC3000 \SystemRoot\system32\DRIVERS\lvrs.sys
0xBA554000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xBA5D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA788000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA450000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA458000 \SystemRoot\System32\drivers\vga.sys
0xBA5EA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5EC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA460000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA468000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9599000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB49F0000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4997000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB497F000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_710_19757.SYS
0xB4959000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA258000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB491E000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xB9418000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xBA278000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBA288000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xBA470000 \SystemRoot\System32\Drivers\SYMDNS.SYS
0xB9410000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA298000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB9559000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
0xBA478000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xB48CD000 \SystemRoot\System32\Drivers\SYMFW.SYS
0xB9408000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB9549000 \SystemRoot\System32\Drivers\SYMIDS.SYS
0xBA5F4000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xB4886000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20120223.001\symidsco.sys
0xB9404000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA5F8000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xB485E000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB483C000 \SystemRoot\System32\drivers\afd.sys
0xB9539000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB47DA000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xB47AF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB93FC000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
0xB473F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB9519000 \SystemRoot\System32\Drivers\Fips.SYS
0xB46E1000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB46C3000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB4677000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB465F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA604000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB53B4000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA498000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7DA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF051000 \SystemRoot\System32\ati2cqag.dll
0xBF08A000 \SystemRoot\System32\atikvmag.dll
0xBF0BF000 \SystemRoot\System32\ati3duag.dll
0xBF30C000 \SystemRoot\System32\ativvaxx.dll
0xBF39F000 \SystemRoot\System32\ATMFD.DLL
0xB2319000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xB24DF000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xB244B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB250F000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xB1CC4000 \SystemRoot\system32\drivers\wdmaud.sys
0xB1E81000 \SystemRoot\system32\drivers\sysaudio.sys
0xB1977000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB1C9C000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xB1756000 \SystemRoot\System32\Drivers\HTTP.sys
0xB16D6000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA4A8000 \SystemRoot\system32\Drivers\LVPr2Mon.sys
0xB127E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB06CE000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120225.008\navex15.sys
0xB068F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120225.008\naveng.sys
0xBA636000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xBA338000 \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys
0xAFC71000 \??\c:\windows\system32\drivers\TrueSight.sys
0xAFD60000 \SystemRoot\system32\DRIVERS\SCR3XX2K.sys
0xAF815000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 83):
0 System Idle Process
4 System
848 C:\WINDOWS\system32\smss.exe
912 csrss.exe
956 C:\WINDOWS\system32\winlogon.exe
1000 C:\WINDOWS\system32\services.exe
1012 C:\WINDOWS\system32\lsass.exe
1176 C:\WINDOWS\system32\ati2evxx.exe
1192 C:\WINDOWS\system32\svchost.exe
1252 svchost.exe
1396 C:\WINDOWS\system32\svchost.exe
1592 svchost.exe
1712 svchost.exe
1760 acevents.exe
436 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
672 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
904 C:\WINDOWS\system32\ati2evxx.exe
1376 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
1500 C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
1576 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
1668 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
1956 C:\WINDOWS\system32\spoolsv.exe
2000 C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
2040 scardsvr.exe
276 svchost.exe
320 C:\Program Files\LSI SoftModem\agrsmsvc.exe
504 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
828 C:\WINDOWS\arservice.exe
576 C:\Program Files\Bonjour\mDNSResponder.exe
544 C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
584 C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
1452 C:\WINDOWS\ehome\ehrecvr.exe
720 C:\WINDOWS\ehome\ehSched.exe
2228 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
2300 C:\Program Files\Java\jre6\bin\jqs.exe
2376 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
2572 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2672 C:\Program Files\Common Files\Motive\McciCMService.exe
2724 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2756 C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
2916 C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
2944 C:\WINDOWS\system32\svchost.exe
2992 C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe
3004 C:\WINDOWS\system32\svchost.exe
3040 svchost.exe
3052 C:\WINDOWS\system32\svchost.exe
3232 C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
3468 C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
3636 C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
3692 C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
3812 C:\WINDOWS\system32\wwSecure.exe
3856 mcrdsvc.exe
3952 C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
4044 C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
3436 C:\WINDOWS\system32\dllhost.exe
1844 alg.exe
648 C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
3132 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
1276 C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
3488 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3676 C:\WINDOWS\ehome\ehtray.exe
464 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2088 C:\hp\KBD\kbd.exe
2440 C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
2620 C:\WINDOWS\ehome\ehmsas.exe
2924 C:\Program Files\ActivIdentity\ActivClient\acevents.exe
2280 C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
3348 C:\Program Files\Real\RealPlayer\Update\realsched.exe
3864 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4260 C:\Program Files\iTunes\iTunesHelper.exe
4300 C:\WINDOWS\system32\ctfmon.exe
4484 C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe
5160 C:\WINDOWS\system32\svchost.exe
5836 C:\Program Files\iPod\bin\iPodService.exe
432 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
4252 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
5272 C:\WINDOWS\ALCXMNTR.EXE
2120 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
4768 C:\WINDOWS\system\hpsysdrv.exe
5376 C:\WINDOWS\explorer.exe
1948 C:\WINDOWS\system32\notepad.exe
5224 C:\WINDOWS\system32\notepad.exe
5988 C:\Documents and Settings\HP_Administrator\Desktop\Pictures For Mike\New Folder\New Folder\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`207b8000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
PhysicalDrive0 Model Number: WDCWD2500JS-60MHB1, Rev: 10.02E02
Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972
Done!
-
Yes, log entry below (I redacted IP). I'll run the check now.
Details: Rule "Default Block Rat Trojan horse" blocked (LORI_II(redacted),2989).
Inbound UDP packet.
Local address,service is (localhost,2989).
Remote address,service is (LORI_II(redacted),2989).
Process name is "N/A".
-
Report below. My firewall shows an attack by "RAT" trojan at 10:53 AM today (EST). Hopefully that is the end of that. Can you tell me what causes this, and whether I should install a "clean" MBR after getting rid of the win32/Agent. SZW trojan? Please advise. Thanks.
Malwarebytes Anti-Malware 1.60.1.1000
Database version: v2012.02.29.03
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Administrator :: LORI_II [administrator]
2/29/2012 1:05:42 PM
mbam-log-2012-02-29 (13-05-42).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205738
Time elapsed: 20 minute(s), 36 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Seems my virsu scan didn't turn off in a timely manner - please advise whether you want me to run this again, and with another script -
ComboFix 12-02-29.01 - HP_Administrator 02/29/2012 12:03:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.497 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
.
.
2012-02-29 15:05 . 2012-02-29 15:07 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-02-28 02:55 . 2012-02-28 02:55 -------- d-----w- c:\program files\ESET
2012-02-27 22:14 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-27 22:14 . 2012-02-27 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE
2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-16 00:09 . 2012-02-16 00:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital
2012-02-15 23:36 . 2012-02-15 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-02-15 23:34 . 2012-02-15 23:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-02-15 22:53 . 2012-02-15 23:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\MYPOINTS
2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\FCTB000060497
2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine
2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital
2012-02-15 22:49 . 2012-02-15 22:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-02-15 22:46 . 2012-02-15 22:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-02-15 20:56 . 2011-02-16 22:52 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2012-02-15 19:31 . 2012-02-17 20:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western_Digital
2012-02-15 18:52 . 2012-02-15 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2012-02-15 18:50 . 2012-02-15 20:55 -------- d-----w- c:\program files\Western Digital
2012-02-15 18:50 . 2012-02-15 19:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western Digital
2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-09 15:31 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-02-09 15:31 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-02-09 15:29 . 2012-02-09 15:29 -------- d-----w- c:\program files\iPod
2012-02-09 15:28 . 2012-02-09 15:31 -------- d-----w- c:\program files\iTunes
2012-02-09 15:22 . 2012-02-09 15:22 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-10 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-21 16:45 . 2011-12-21 16:46 723294 ----a-w- c:\windows\unins000.exe
2011-12-17 19:46 . 2004-08-10 05:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-10 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-10 05:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-10 05:00 385024 ----a-w- c:\windows\system32\html.iec
2008-06-04 12:51 . 2008-06-04 12:29 5553 ----a-w- c:\program files\Common Files\acbackupreg.reg
2011-11-20 18:24 . 2011-06-10 16:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-10 05:00 94784 --sha-w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sha-w- c:\windows\twain_32.dll
2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2010-12-20 17:32 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sha-w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-10 273528]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
hpqtra08.exe [2008-3-25 214360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 20:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 20:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-27 15:52 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2008-06-10 20:18 785520 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-10-11 15:46 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"hpqddsvc"=2 (0x2)
"VaultClientSRV"=2 (0x2)
"VaultClientUpgrade"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\studio.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\ASUS\\RT-N12 Wireless Router Utilities\\Discovery.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [9/13/2001 4:47 PM 14223]
R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [1/25/2012 3:54 PM 85064]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 3:16 PM 207400]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [9/26/2005 10:28 AM 258146]
R2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE [7/15/1997 136704]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [3/15/2011 3:35 PM 61440]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WDDMService.exe [8/1/2011 10:11 AM 263056]
R2 WDFMEService;WDFMEService;c:\program files\Western Digital\WD SmartWare\WDFME.exe [8/1/2011 10:11 AM 1592208]
R2 WDRulesService;WDRulesService;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [8/1/2011 10:11 AM 1091984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 8:41 PM 106104]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 10:19 PM 57856]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/26/2005 10:28 AM 108400]
S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [7/8/2010 9:28 PM 149376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176]
S2 McciServiceHost;McciServiceHost;"c:\program files\Common Files\Motive\McciServiceHost.exe" --> c:\program files\Common Files\Motive\McciServiceHost.exe [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [5/29/2011 1:56 PM 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [5/29/2011 1:53 PM 33792]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/29/2004 1:26 AM 49024]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 6:48 PM 116416]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/15/2012 3:56 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe [10/8/2008 4:45 PM 981456]
S4 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe [10/8/2008 4:45 PM 55760]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29]
.
2012-02-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-640800275-3246585749-3817686294-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-640800275-3246585749-3817686294-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2012-02-29 c:\windows\Tasks\User_Feed_Synchronization-{D5FE06CA-FC11-44AE-9267-AE6C7025BC83}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
Trusted Zone: $talisma_url$
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-29 12:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-640800275-3246585749-3817686294-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
c:\program files\ActivIdentity\ActivClient\accsp.dll
c:\program files\ActivIdentity\ActivClient\Resources\accsprc.dll
c:\program files\ActivIdentity\ActivClient\acjscrfs.dll
c:\program files\Common Files\ActivIdentity\ac.sharedstoreps.dll
c:\program files\ActivIdentity\ActivClient\acjvscv2.dll
c:\program files\ActivIdentity\ActivClient\Resources\acjsc2rc.dll
.
- - - - - - - > 'explorer.exe'(5376)
c:\windows\system32\WININET.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll
c:\program files\Cox\Media Store and Share Backup Manager\LIBEXPAT.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-29 12:24:09
ComboFix-quarantined-files.txt 2012-02-29 17:24
ComboFix2.txt 2012-02-29 16:31
ComboFix3.txt 2012-02-29 14:58
.
Pre-Run: 90,046,509,056 bytes free
Post-Run: 90,019,422,208 bytes free
.
- - End Of File - - D5E4B18CC1C09A0AE7155131C984D6A5
-
No reboot required. I deleted a couple of dlls manually before I saw your reply. CF report follows:
ComboFix 12-02-29.01 - HP_Administrator 02/29/2012 11:07:12.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.247 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~1\mypoints\mypoints.dll
c:\program files\mozilla firefox\plugins\NPcol400.dll
c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
.
.
2012-02-29 15:05 . 2012-02-29 15:07 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-02-28 02:55 . 2012-02-28 02:55 -------- d-----w- c:\program files\ESET
2012-02-27 22:14 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-27 22:14 . 2012-02-27 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE
2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-16 00:09 . 2012-02-16 00:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital
2012-02-15 23:36 . 2012-02-15 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-02-15 23:34 . 2012-02-15 23:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-02-15 22:53 . 2012-02-15 23:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\MYPOINTS
2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\FCTB000060497
2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine
2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital
2012-02-15 22:49 . 2012-02-15 22:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-02-15 22:46 . 2012-02-15 22:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-02-15 20:56 . 2011-02-16 22:52 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2012-02-15 19:31 . 2012-02-17 20:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western_Digital
2012-02-15 18:52 . 2012-02-15 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2012-02-15 18:50 . 2012-02-15 20:55 -------- d-----w- c:\program files\Western Digital
2012-02-15 18:50 . 2012-02-15 19:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western Digital
2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-09 15:31 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-02-09 15:31 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-02-09 15:29 . 2012-02-09 15:29 -------- d-----w- c:\program files\iPod
2012-02-09 15:28 . 2012-02-09 15:31 -------- d-----w- c:\program files\iTunes
2012-02-09 15:22 . 2012-02-09 15:22 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-10 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-21 16:45 . 2011-12-21 16:46 723294 ----a-w- c:\windows\unins000.exe
2011-12-17 19:46 . 2004-08-10 05:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-10 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-10 05:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-10 05:00 385024 ----a-w- c:\windows\system32\html.iec
2008-06-04 12:51 . 2008-06-04 12:29 5553 ----a-w- c:\program files\Common Files\acbackupreg.reg
2011-11-20 18:24 . 2011-06-10 16:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-10 05:00 94784 --sha-w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sha-w- c:\windows\twain_32.dll
2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2010-12-20 17:32 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sha-w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-10 273528]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
hpqtra08.exe [2008-3-25 214360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 20:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 20:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-27 15:52 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2008-06-10 20:18 785520 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-10-11 15:46 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"hpqddsvc"=2 (0x2)
"VaultClientSRV"=2 (0x2)
"VaultClientUpgrade"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\MyPoints Point Finder\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Point Finder\\ToolbarUpdate.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\studio.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\ASUS\\RT-N12 Wireless Router Utilities\\Discovery.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [9/13/2001 4:47 PM 14223]
R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [1/25/2012 3:54 PM 85064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 8:41 PM 106104]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 10:19 PM 57856]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/26/2005 10:28 AM 108400]
S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [7/8/2010 9:28 PM 149376]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [5/29/2011 1:56 PM 18560]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [5/29/2011 1:53 PM 33792]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/29/2004 1:26 AM 49024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/15/2012 3:56 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29]
.
2012-02-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-640800275-3246585749-3817686294-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-640800275-3246585749-3817686294-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2012-02-29 c:\windows\Tasks\User_Feed_Synchronization-{D5FE06CA-FC11-44AE-9267-AE6C7025BC83}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
Trusted Zone: $talisma_url$
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-29 11:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-640800275-3246585749-3817686294-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
c:\program files\ActivIdentity\ActivClient\accsp.dll
c:\program files\ActivIdentity\ActivClient\Resources\accsprc.dll
c:\program files\ActivIdentity\ActivClient\acjscrfs.dll
c:\program files\Common Files\ActivIdentity\ac.sharedstoreps.dll
c:\program files\ActivIdentity\ActivClient\acjvscv2.dll
c:\program files\ActivIdentity\ActivClient\Resources\acjsc2rc.dll
.
Completion time: 2012-02-29 11:31:22
ComboFix-quarantined-files.txt 2012-02-29 16:31
ComboFix2.txt 2012-02-29 14:58
.
Pre-Run: 90,045,423,616 bytes free
Post-Run: 90,037,608,448 bytes free
.
- - End Of File - - EC8B7919502938D666F189A290878F69
-
I can get rid of this junk - do I do it manually now, and do a run of something else?
-
Nothing - was just reading your comment above. I got rid of the proxy number, and tried to rerun RK. Guess it doen't matter? -
-
Sorry,I ran CF before I did a restore from RK quarantine folder, and now RK stops midway - please advise. Thanks.
-
CF Report -
ComboFix 12-02-29.01 - HP_Administrator 02/29/2012 9:33.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.515 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\HPSU_48BitScanUpdate.log
c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\searchplugins\bing-zugo.xml
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\bwUnin-7.2.0.157-8876480SL.exe
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
.
.
2012-02-28 02:55 . 2012-02-28 02:55 -------- d-----w- c:\program files\ESET
2012-02-27 22:14 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-27 22:14 . 2012-02-27 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE
2012-02-27 03:04 . 2012-02-27 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-26 18:16 . 2012-02-26 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2012-02-25 22:32 . 2012-02-25 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-16 00:09 . 2012-02-16 00:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital
2012-02-15 23:36 . 2012-02-15 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-02-15 23:34 . 2012-02-15 23:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-02-15 22:53 . 2012-02-15 23:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\MYPOINTS
2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\FCTB000060497
2012-02-15 22:51 . 2012-02-15 22:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine
2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-02-15 22:50 . 2012-02-15 22:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital
2012-02-15 22:49 . 2012-02-15 22:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-02-15 22:46 . 2012-02-15 22:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-02-15 20:56 . 2011-02-16 22:52 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2012-02-15 19:31 . 2012-02-17 20:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western_Digital
2012-02-15 18:52 . 2012-02-15 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2012-02-15 18:50 . 2012-02-15 20:55 -------- d-----w- c:\program files\Western Digital
2012-02-15 18:50 . 2012-02-15 19:38 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Western Digital
2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 21:34 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-09 15:31 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-02-09 15:31 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-02-09 15:29 . 2012-02-09 15:29 -------- d-----w- c:\program files\iPod
2012-02-09 15:28 . 2012-02-09 15:31 -------- d-----w- c:\program files\iTunes
2012-02-09 15:22 . 2012-02-09 15:22 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 16:53 . 2004-08-10 05:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-21 16:45 . 2011-12-21 16:46 723294 ----a-w- c:\windows\unins000.exe
2011-12-17 19:46 . 2004-08-10 05:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-10 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-10 05:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-10 05:00 385024 ----a-w- c:\windows\system32\html.iec
2008-06-04 12:51 . 2008-06-04 12:29 5553 ----a-w- c:\program files\Common Files\acbackupreg.reg
2011-11-20 18:24 . 2011-06-10 16:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-10 05:00 94784 --sha-w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sha-w- c:\windows\twain_32.dll
2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sha-w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
2010-06-20 02:50 1547776 ----a-w- c:\program files\MyPoints Point Finder\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}]
2008-11-23 21:59 1909248 ----a-w- c:\progra~1\mypoints\mypoints.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-11-23 1909248]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2010-06-20 1547776]
.
[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]
.
[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2010-06-20 1547776]
.
[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 188416]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-10 273528]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
hpqtra08.exe [2008-3-25 214360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 20:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 20:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-27 15:52 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2008-06-10 20:18 785520 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 22:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-10-11 15:46 36864 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"hpqddsvc"=2 (0x2)
"VaultClientSRV"=2 (0x2)
"VaultClientUpgrade"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\MyPoints Point Finder\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Point Finder\\ToolbarUpdate.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\studio.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\ASUS\\RT-N12 Wireless Router Utilities\\Discovery.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [9/13/2001 4:47 PM 14223]
R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [1/25/2012 3:54 PM 85064]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 3:16 PM 207400]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [9/26/2005 10:28 AM 258146]
R2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE [7/15/1997 136704]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [3/15/2011 3:35 PM 61440]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WDDMService.exe [8/1/2011 10:11 AM 263056]
R2 WDFMEService;WDFMEService;c:\program files\Western Digital\WD SmartWare\WDFME.exe [8/1/2011 10:11 AM 1592208]
R2 WDRulesService;WDRulesService;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [8/1/2011 10:11 AM 1091984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 8:41 PM 106104]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/26/2005 10:28 AM 108400]
S0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [7/8/2010 9:28 PM 149376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176]
S2 McciServiceHost;McciServiceHost;"c:\program files\Common Files\Motive\McciServiceHost.exe" --> c:\program files\Common Files\Motive\McciServiceHost.exe [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [5/29/2011 1:56 PM 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2010 1:29 PM 136176]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [5/29/2011 1:53 PM 33792]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/29/2004 1:26 AM 49024]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/14/2007 6:48 PM 116416]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 10:19 PM 57856]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/15/2012 3:56 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe [10/8/2008 4:45 PM 981456]
S4 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe [10/8/2008 4:45 PM 55760]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-10 18:29]
.
2012-02-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-640800275-3246585749-3817686294-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-640800275-3246585749-3817686294-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2012-02-29 c:\windows\Tasks\User_Feed_Synchronization-{D5FE06CA-FC11-44AE-9267-AE6C7025BC83}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 118.97.119.164:80
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
Trusted Zone: $talisma_url$
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\frqeg8v4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-212B679BCC229656D917314ACDE51BAC2EEF83CD._service_run - c:\program files\Google\Chrome\Application\chrome.exe
HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKLM-Run-PCDrProfiler - (no file)
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-29 09:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-640800275-3246585749-3817686294-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
c:\program files\ActivIdentity\ActivClient\accsp.dll
c:\program files\ActivIdentity\ActivClient\Resources\accsprc.dll
c:\program files\ActivIdentity\ActivClient\acjscrfs.dll
c:\program files\Common Files\ActivIdentity\ac.sharedstoreps.dll
c:\program files\ActivIdentity\ActivClient\acjvscv2.dll
c:\program files\ActivIdentity\ActivClient\Resources\acjsc2rc.dll
.
Completion time: 2012-02-29 09:58:32
ComboFix-quarantined-files.txt 2012-02-29 14:58
.
Pre-Run: 89,913,860,096 bytes free
Post-Run: 90,026,016,768 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
- - End Of File - - B6A8063C6E345E05E9B0D47535ED85BC
-
That proxy is in my IE, and I do believe I put it there a long time ago, and have not used it since - should I take it out and rerun Rogue?
-
Thanks. Report below. I ran another ESET scan last night, as well as a full MBAM scan last night, and both found nothing. My firewall still reports MasterParadise, DeepThroat and RAT attacks every 6-7 hours. Maybe a clean MBR is needed, after removing the Agent.SZW? TIA.
RogueKiller V7.2.0 [02/27/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: HP_Administrator [Admin rights]
Mode: Scan -- Date: 02/29/2012 08:55:25
¤¤¤ Bad processes: 2 ¤¤¤
[sUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]
[sUSP PATH] JuniperSetupClient.exe -- C:\Documents and Settings\HP_Administrator\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 5 ¤¤¤
[RANDOMNAME] HKLM\[...]\Run : PinnacleDriverCheck (C:\WINDOWS\system32\\PSDrvCheck.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (118.97.119.164:80) -> FOUND
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD2500JS-60MHB1 +++++
--- User ---
[MBR] b978857295c648f7c9e038708e5ddfe0
[bSP] 8a7884da59e414827f91c43dcf324e78 : Toshiba tatooed MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 8711 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 17841600 | Size: 229753 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: HP Photosmart C4280 USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
I found the log from the first MBAM scan - can't copy and paste it because the computer is offline, but MBAM removed 2 Trojan. Vondu. Thanks.
-
Merged 3 post
Hi,
My firewall says I am being attacked by:
Portal of Doom
Master Paradise
Deep Throat
RAT
My firewall is symantic. My AV didn't find anything (up to date), nor did Spybot S+D. I am not experiencing any problems, aside from an extremely slow boot up. My firewall is just keeps going off on those ports associated with the above. Please advise. Thanks.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by HP_Administrator at 20:56:56 on 2012-02-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1214.342 [GMT -5:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\program files\common files\installshield\updateservice\issch.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\hpqtra08.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\WINDOWS\system32\wwSecure.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 118.97.119.164:80
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints point finder\Toolbar.dll
BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MYPOINTS: {a057a204-bacc-4d26-cec4-75a487fd6484} - c:\progra~1\mypoints\mypoints.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MYPOINTS: {a057a204-bacc-4d26-cec4-75a487fd6484} - c:\progra~1\mypoints\mypoints.dll
TB: MyPoints Point Finder: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints point finder\Toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [212B679BCC229656D917314ACDE51BAC2EEF83CD._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRunOnce: [index Washer] c:\program files\webroot\washer\WashIdx.exe "HP_Administrator"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PCDrProfiler]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdquic~1.lnk - c:\program files\western digital\wd smartware\WDDMStatus.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: $talisma_url$
Trusted Zone: turbotax.com
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.cox.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228247357375
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://io.dcma.mil/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{FD46DAA1-DDF8-4A37-9641-AB347B20A235} : DhcpNameServer = 192.168.1.254
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: ackpbsc - c:\program files\actividentity\activclient\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\frqeg8v4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111221&q=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SC247XF;SC247XF;c:\windows\system32\drivers\SC247XF.sys [2001-9-13 14223]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2010-7-8 149376]
R1 NEOFLTR_710_19757;Juniper Networks TDI Filter Driver (NEOFLTR_710_19757);c:\windows\system32\drivers\NEOFLTR_710_19757.SYS [2012-1-25 85064]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-11-21 202344]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2005-9-26 258146]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MMIndexer;Media Manager Indexer;c:\program files\common files\microsoft shared\media manager\AIRSVCU.EXE [1997-7-15 136704]
R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacomd\x86\novacomd.exe [2011-3-15 61440]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\WDDMService.exe [2011-8-1 263056]
R2 WDFMEService;WDFMEService;c:\program files\western digital\wd smartware\WDFME.exe [2011-8-1 1592208]
R2 WDRulesService;WDRulesService;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-8-1 1091984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-10 106104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120225.008\naveng.sys [2012-2-26 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120225.008\navex15.sys [2012-2-26 1576312]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-1-6 57856]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2005-9-26 108400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176]
S2 McciServiceHost;McciServiceHost;"c:\program files\common files\motive\mcciservicehost.exe" --> c:\program files\common files\motive\McciServiceHost.exe [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-5-29 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-10 136176]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-5-29 33792]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2004-3-29 49024]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-9-30 1087680]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2012-2-15 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\cox\media store and share backup manager\VaultClientSRV.exe [2008-10-8 981456]
S4 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\cox\media store and share backup manager\VaultClientUpgrade.exe [2008-10-8 55760]
.
=============== Created Last 30 ================
.
2012-02-27 22:14:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-27 22:14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-27 03:04:36 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\NPE
2012-02-27 03:04:36 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-02-26 18:16:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-26 18:16:26 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-02-25 22:32:14 -------- d-----w- c:\documents and settings\hp_administrator\application data\Malwarebytes
2012-02-25 22:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-15 20:56:20 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2012-02-15 19:31:06 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Western_Digital
2012-02-15 18:52:23 -------- d-----w- c:\documents and settings\all users\application data\Western Digital
2012-02-15 18:50:46 -------- d-----w- c:\program files\Western Digital
2012-02-15 18:50:04 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Western Digital
2012-02-14 21:34:55 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 21:34:55 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-09 15:31:49 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-02-09 15:31:49 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-02-09 15:29:22 -------- d-----w- c:\program files\iPod
2012-02-09 15:28:04 -------- d-----w- c:\program files\iTunes
2012-02-09 15:22:02 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-21 16:45:39 723294 ----a-w- c:\windows\unins000.exe
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2008-06-04 12:51:36 5553 ----a-w- c:\program files\common files\acbackupreg.reg
2004-08-10 05:00:00 94784 --sha-w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sha-w- c:\windows\twain_32.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32:15 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 20:57:38.14 ===============
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/4/2006 7:49:54 PM
System Uptime: 2/27/2012 7:31:28 PM (1 hours ago)
.
Motherboard: MSI | | AMETHYST-M
Processor: AMD Athlon 64 Processor 3800+ | Socket 939 | 2387/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 224 GiB total, 84.115 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 1.114 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
N: is Removable
O: is Removable
P: is Removable
Q: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1231: 1/28/2012 10:44:51 AM - System Checkpoint
RP1232: 1/29/2012 10:56:31 AM - System Checkpoint
RP1233: 1/30/2012 5:33:52 PM - System Checkpoint
RP1234: 1/31/2012 5:56:28 PM - System Checkpoint
RP1235: 2/1/2012 5:57:33 PM - System Checkpoint
RP1236: 2/2/2012 6:56:27 PM - System Checkpoint
RP1237: 2/3/2012 7:48:55 PM - System Checkpoint
RP1238: 2/4/2012 8:21:34 PM - System Checkpoint
RP1239: 2/5/2012 8:30:36 PM - System Checkpoint
RP1240: 2/6/2012 10:44:58 PM - System Checkpoint
RP1241: 2/7/2012 11:09:53 PM - System Checkpoint
RP1242: 2/8/2012 11:29:21 PM - System Checkpoint
RP1243: 2/9/2012 10:07:39 AM - Removed iTunes
RP1244: 2/9/2012 10:27:27 AM - Installed iTunes
RP1245: 2/10/2012 11:19:13 AM - System Checkpoint
RP1246: 2/11/2012 11:22:41 AM - System Checkpoint
RP1247: 2/12/2012 12:43:44 PM - System Checkpoint
RP1248: 2/13/2012 1:03:10 PM - System Checkpoint
RP1249: 2/14/2012 2:08:58 PM - System Checkpoint
RP1250: 2/15/2012 3:00:20 AM - Software Distribution Service 3.0
RP1251: 2/15/2012 3:24:15 PM - Installed WD Software Upgrader
RP1252: 2/16/2012 3:46:24 PM - System Checkpoint
RP1253: 2/17/2012 4:39:48 PM - System Checkpoint
RP1254: 2/18/2012 5:33:12 PM - System Checkpoint
RP1255: 2/19/2012 6:26:35 PM - System Checkpoint
RP1256: 2/20/2012 7:35:39 PM - System Checkpoint
RP1257: 2/21/2012 8:39:12 PM - System Checkpoint
RP1258: 2/22/2012 9:09:54 PM - System Checkpoint
RP1259: 2/23/2012 10:05:36 PM - System Checkpoint
RP1260: 2/24/2012 10:59:13 PM - System Checkpoint
RP1261: 2/25/2012 10:59:33 PM - System Checkpoint
RP1262: 2/26/2012 11:31:34 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
32 Bit HP CIO Components Installer
Acrobat.com
ActivClient CAC x86
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 2.0
Adobe Reader X (10.1.2)
Adobe® Photoshop® Album Starter Edition 3.2
Agere Systems PCI-SV92PP Soft Modem
AIO_Scan
Amazon MP3 Downloader 1.0.10
Amazon Unbox Video
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASUS RT-N12 Wireless Router Utilities
ATI Control Panel
ATI Display Driver
att.net Internet Mail
AutoUpdate
Bonjour
BufferChm
C4200
C4200_doccd
c4200_Help
CameraDrivers
CCleaner
Check Point SSL Network Extender
Compatibility Pack for the 2007 Office system
Copy
Coupon Printer for Windows
cp_LightScribeConfig
cp_LightScribePlugin
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Destination Component
Device Installer x86
DeviceDiscovery
DeviceManagementQFolder
DiscAPI (Studio 10)
DivX
DocProc
DocProcQFolder
DVDSmith Movie Backup 1.0.5
Enhanced Multimedia Keyboard Solution
eSupportQFolder
Family Tree Maker 2005
First Step Guide
Garmin City Navigator North America NT 2010.20
Garmin Communicator Plugin
Garmin POI Loader
Garmin USB Drivers
GdiplusUpgrade
Google Toolbar for Internet Explorer
Google Update Helper
GTK2-Runtime
H&R Block Basic + Efile 2009
Handbrake 0.9.4
Hardwood Spades
High Definition Audio Driver Package - KB888111
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB939209)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Customer Participation Program 9.0
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photo Imaging Software
HP Photo Printing Software
HP PhotoSmart Scanning Software
HP Photosmart All-In-One Software 9.0
HP Photosmart Cameras 5.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Play [beta]
HP Product Assistant
HP Product Detection
HP Solution Center 9.0
HP Update
HPDiagnosticAlert
HPProductAssistant
HpSdpAppCoreApp
HPSSupply
ImageMixer VCD2
InterActual Player
InterVideo WinDVD Player
IrfanView (remove only)
iTunes
Java Auto Updater
Java 6 Update 30
JumpStart Advanced School Time
Juniper Networks Cache Cleaner 6.5.0
Juniper Networks Host Checker
Juniper Networks Secure Application Manager
Juniper Networks, Inc. Setup Client
Juniper Terminal Services Client
K-Lite Codec Pack 6.8.0 (Standard)
LeapFrog Connect
LeapFrog LeapPad Explorer Plugin
LeapFrog My Pals Plugin
LeapFrog Tag Plugin
Lexia Reading
LightScribe 1.4.52.1
LiveUpdate 3.1 (Symantec Corporation)
Logitech Desktop Messenger
Logitech Legacy USB Camera Driver Package
Logitech QuickCam Driver Package
Logitech Vid HD
Logitech Webcam Software
LSI PCI-SV92PP Soft Modem
Macromedia Flash Player
Malwarebytes Anti-Malware version 1.60.1.1000
MarketResearch
MasterSplitter Program
Math Games
Media Store and Share Backup Manager
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Away Mode
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Media Manager 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Outlook Web Access S/MIME (2007)
Microsoft SQL Server Desktop Engine (PINNACLESYS)
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
MobileMe Control Panel
Mozilla Firefox 8.0 (x86 en-US)
Mozilla Thunderbird (6.0)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer unPlugged 1.2
MyPoints Point Finder
MyPoints Toolbar
MyPoints Toolbar 2.0
Novacomd
Octoshape add-in for Adobe Flash Player
OLYMPUS CAMEDIA Master 2.5
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
Paint and Create
PC-Doctor 5 for Windows
PC Inspector File Recovery
Pdf995 (installed by H&R Block)
PdfEdit995 (installed by H&R Block)
Picture Package Music Transfer
Pinnacle Instant DVD Recorder
Pinnacle MediaServer
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
PSSWCORE
Quicken 2010
QuickTime
RAPID (Studio 10)
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Savings Bond Wizard
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shop for HP Supplies
Skype Click to Call
Skype™ 5.5
SmartSound Quicktracks Plugin
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SonicStage 4.0
Sony Picture Utility
Sony USB Driver
Status
Studio 10
Studio 10 Bonus DVD
Symantec Client Security
Symantec Technical Support Web Controls
TaxACT 2010
TaxACT 2011 - 1040 Edition
TaxCut Basic + Efile 2008
Toolbox
TrayApp
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Basic 2006
TurboTax Basic 2007
TurboTax ItsDeductible 2006
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
USB 2.0 Switch Utility Software
Use the entry named LeapFrog Connect to uninstall (LeapFrog LeapPad Explorer Plugin)
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD SmartWare
WD Software Upgrader
WebFldrs XP
WebReg
WexTech AnswerWorks
Window Washer
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Driver Package - Palm (WinUSB) Palm Devices (10/09/2009 1.0.1)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinX DVD Copy Pro 2.2.0
WinX DVD Ripper Platinum 6.0.2
WinX HD Video Converter Deluxe 3.10.3
X-Lite 3.0
.
==== Event Viewer Messages From Past Week ========
.
2/27/2012 7:41:01 PM, error: Service Control Manager [7022] - The Pinnacle Systems Media Service service hung on starting.
2/27/2012 7:39:42 PM, error: Service Control Manager [7024] - The Symantec SPBBCSvc service terminated with service-specific error 4294967295 (0xFFFFFFFF).
2/27/2012 7:39:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intuit Update Service service to connect.
2/27/2012 7:39:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
2/27/2012 7:39:42 PM, error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/27/2012 7:39:42 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/27/2012 7:12:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
2/27/2012 6:11:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WDRulesService with arguments "" in order to run the server: {C004E60F-2D62-4BE1-98C4-C39A8046B6BB}
2/27/2012 6:08:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/27/2012 6:08:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips ftsata2 iaStor IntelIde IPSec MRxSmb NEOFLTR_710_19757 NetBIOS NetBT ohci1394 PCLEPCI RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip tffsport ViaIde
2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2012 6:08:09 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2012 6:07:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/27/2012 6:07:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/26/2012 2:25:21 PM, error: Service Control Manager [7034] - The LiveUpdate service terminated unexpectedly. It has done this 1 time(s).
2/26/2012 2:20:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
2/25/2012 6:02:12 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service hpqddsvc with arguments "" in order to run the server: {2C82180E-8C3C-4A1B-BEB1-B9140713E701}
2/25/2012 6:01:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
2/25/2012 6:01:40 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/25/2012 6:01:39 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
2/25/2012 5:58:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2 iaStor IntelIde tffsport ViaIde
2/25/2012 5:57:47 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
2/25/2012 5:57:47 PM, error: Service Control Manager [7000] - The McciServiceHost service failed to start due to the following error: The system cannot find the file specified.
2/25/2012 5:55:44 PM, error: ati2mtag [52225] - CPLIB :: Open Session - Failed to load the library
2/22/2012 5:11:02 PM, error: SCardSvr [520] - Smart Card Resource Manager received unrecognized handle from PnP event DBT_DEVICEQUERYREMOVE/dbch_handle
.
==== End Of File ===========================
Forgot to say that MBAM did find 2 "trojans", but apparently not the ones listed. Sorry, but I didn't keep the log. After restart, I ran it again and got the below. My firewall is still being attacked. Thanks.
Malwarebytes Anti-Malware 1.60.1.1000
Database version: v2012.02.27.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP_Administrator :: LORI_II [administrator]
2/27/2012 5:38:06 PM
mbam-log-2012-02-27 (17-38-06).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206472
Time elapsed: 10 minute(s), 53 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
I ran ESET, and it found and deleted a variant of Win32./Agent.szw, out of a tempIMG folder and system restore. Was thaty the problem, and is it fixed? Do I do a reboot? Now I have a "bla" trojan/UDP attacking my firewall, in addition to the others. Please help. Thanks.
-
Hi,
I am a newbie, fwiw. Last week, my symantic firewall started warning me that the following trojans were trying to get through:
Master of Paradise port 3129
Portal of Doom port 3700
Deep Throat port 2148
RAT port 2989
I ran MBAW, and although it said it found 2 trojans (but didn't identify them) and removed them, I am still getting attacked by the above (or the ports are being attacked). Before I ran MBAM, I ran my updated Symantic AV, and it found nothing. I also ran Spybot and even the new MS MRT, but nothing was found.
Any ideas as to what to do next? I am going to go into safe mode and blow out all my temp files manually later. There is also another profile on my comp, so will do the same there. Is it possible this other profile is responsible for these attacks, in that the trojans reside there? It is my wife's computer, and neither of us use the other profile, or haven't in years.
We are not in the habit of going to suspicious sites, or running unscanned executables. The whole thing is bizarre. Thanks in advance.
Firewall blocking inbound traffic from "Trojans", but MBAM does find any
in Resolved Malware Removal Logs
Posted
Ok, done. Firewall got another hit from "Deepthroat" a little while ago, but the attacks/hits/pings seem to be slowing down.
Thanks for all your help, and will report back if/when I find something out, or have questions.