riderryuken
Honorary Members-
Posts
24 -
Joined
-
Last visited
Reputation
0 NeutralAbout riderryuken
- Birthday 04/09/1985
Profile Information
-
Location
Pittsburgh
-
Yes it's one of about 26 or so in the office.
-
I completed a full scan with Symantec and there were no infections found during the scan, but it still shows backdoor as a security risk in both the scan log and on the server that monitors the computers.
-
Here is the log: ComboFix 10-08-04.05 - wlaur 08/05/2010 10:03:13.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3549.2999 [GMT -4:00] Running from: c:\documents and settings\wlaur\Desktop\ComboF-ix.exe AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 ))))))))))))))))))))))))))))))) . 2010-07-28 20:11 . 2010-07-28 20:11 410984 ----a-w- c:\windows\system32\deploytk.dll 2010-07-28 20:11 . 2010-07-28 20:12 152576 ----a-w- c:\documents and settings\wlaur\Application Data\Sun\Java\jre1.6.0_12\lzma.dll 2010-07-28 17:07 . 2010-05-12 19:06 91976 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-07-22 16:04 . 2010-07-22 16:12 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-07-22 16:04 . 2010-07-22 16:04 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-07-22 16:04 . 2010-07-22 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-07-15 12:41 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2010-07-14 15:36 . 2010-07-14 15:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-07-14 13:31 . 2010-07-14 15:37 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-13 19:45 . 2010-07-13 19:46 -------- d-----w- c:\documents and settings\wlaur\Application Data\D24DE017F1116641030C0B681B177EAD . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-05 13:27 . 2009-11-06 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PDFC 2010-08-04 20:08 . 2009-12-07 20:51 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-07-28 20:11 . 2009-11-06 05:38 -------- d-----w- c:\program files\Java 2010-07-14 15:21 . 2009-12-07 21:33 -------- d-----w- c:\program files\Common Files\Adobe 2010-07-06 16:50 . 2009-12-07 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-24 12:49 . 2010-05-12 19:06 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys 2010-06-14 14:31 . 2008-04-14 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-05-21 14:08 . 2010-05-21 14:08 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-05-21 14:08 . 2010-05-21 14:08 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-01 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-01 170520] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848] "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736] "SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824] "Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-05-12 115560] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2mgmtsvc.exe [7/11/2006 2:40 AM 35880] R2 DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2sec.exe [7/11/2006 2:41 AM 14376] R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [11/6/2009 1:46 AM 635416] R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/18/2007 12:09 AM 11032] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/6/2009 2:26 AM 243856] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 5:05 PM 102448] S2 0024321260216100mcinstcleanup;McAfee Application Installer Cleanup (0024321260216100);c:\docume~1\wlaur\LOCALS~1\Temp\002432~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\wlaur\LOCALS~1\Temp\002432~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/12/2010 3:06 PM 23888] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-07-28 c:\windows\Tasks\updater.exe.job - c:\program files\Orion Advisor Services\Advisor Desktop\updater.exe [2010-03-25 21:19] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bigcharts.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: //about.htm/ Trusted Zone: //Exclude.htm/ Trusted Zone: //FWEvent.htm/ Trusted Zone: //LanguageSelection.htm/ Trusted Zone: //Message.htm/ Trusted Zone: //MyAgttryCmd.htm/ Trusted Zone: //MyAgttryNag.htm/ Trusted Zone: //MyNotification.htm/ Trusted Zone: //NOCLessUpdate.htm/ Trusted Zone: //quarantine.htm/ Trusted Zone: //ScanNow.htm/ Trusted Zone: //strings.vbs/ Trusted Zone: //Template.htm/ Trusted Zone: //Update.htm/ Trusted Zone: //VirFound.htm/ Trusted Zone: mcafee.com\* Trusted Zone: mcafeeasap.com\betavscan Trusted Zone: mcafeeasap.com\vs Trusted Zone: mcafeeasap.com\www TCP: {5F70908A-A7ED-4646-AD68-104F9F180CAB} = 192.168.0.60,192.168.0.2 FF - ProfilePath - c:\documents and settings\wlaur\Application Data\Mozilla\Firefox\Profiles\a834u01r.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - SafeBoot-Symantec Antvirus ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-05 10:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher] "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2010-08-05 10:08:48 ComboFix-quarantined-files.txt 2010-08-05 14:08 Pre-Run: 123,964,407,808 bytes free Post-Run: 124,007,747,584 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - E4BFA14C8FD05953AE70DAF46531D249
-
Here are the logs: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4388 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/4/2010 12:58:37 PM mbam-log-2010-08-04 (12-58-37).txt Scan type: Quick scan Objects scanned: 161539 Time elapsed: 6 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\wlaur\Local Settings\Temporary Internet Files\Yugma_Viewer_Plugin.exe (Trojan.Agent) -> Quarantined and deleted successfully. DDS Log DDS (Ver_10-03-17.01) - NTFSx86 Run by wlaur at 13:01:36.71 on Wed 08/04/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3549.2956 [GMT -4:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\PDF Complete\pdfsvc.exe C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SMINST\Scheduler.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\userinit.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Documents and Settings\wlaur\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.bigcharts.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe mRun: [Recguard] c:\windows\sminst\Recguard.exe mRun: [Reminder] c:\windows\creator\Remind_XP.exe mRun: [scheduler] c:\windows\sminst\Scheduler.exe mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: //about.htm/ Trusted Zone: //Exclude.htm/ Trusted Zone: //FWEvent.htm/ Trusted Zone: //LanguageSelection.htm/ Trusted Zone: //Message.htm/ Trusted Zone: //MyAgttryCmd.htm/ Trusted Zone: //MyAgttryNag.htm/ Trusted Zone: //MyNotification.htm/ Trusted Zone: //NOCLessUpdate.htm/ Trusted Zone: //quarantine.htm/ Trusted Zone: //ScanNow.htm/ Trusted Zone: //strings.vbs/ Trusted Zone: //Template.htm/ Trusted Zone: //Update.htm/ Trusted Zone: //VirFound.htm/ Trusted Zone: mcafee.com\* Trusted Zone: mcafeeasap.com\betavscan Trusted Zone: mcafeeasap.com\vs Trusted Zone: mcafeeasap.com\www DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260213397109 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {5F70908A-A7ED-4646-AD68-104F9F180CAB} = 192.168.0.60,192.168.0.2 Notify: igfxcui - igfxdev.dll Hosts: 192.168.0.60 dells3 ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\wlaur\applic~1\mozilla\firefox\profiles\a834u01r.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-6 214024] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-12 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-12 108392] R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\ibm\sqllib\bin\db2mgmtsvc.exe [2006-7-11 35880] R2 DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1);c:\program files\ibm\sqllib\bin\db2sec.exe [2006-7-11 14376] R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-11-6 635416] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-5-12 2440632] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-11-6 243856] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100803.041\NAVENG.SYS [2010-8-4 85424] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100803.041\NAVEX15.SYS [2010-8-4 1362608] S2 0024321260216100mcinstcleanup;McAfee Application Installer Cleanup (0024321260216100);c:\docume~1\wlaur\locals~1\temp\002432~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\wlaur\locals~1\temp\002432~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-5-12 23888] S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-11-6 79816] S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-11-6 35272] S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-11-6 34248] =============== Created Last 30 ================ 2010-07-28 20:11:56 410984 ----a-w- c:\windows\system32\deploytk.dll 2010-07-28 17:07:05 91976 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-07-27 19:16:15 0 ----a-w- c:\documents and settings\wlaur\defogger_reenable 2010-07-22 16:04:26 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-07-22 16:04:10 0 d-----w- c:\program files\Hitman Pro 3.5 2010-07-22 16:04:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro 2010-07-15 12:41:39 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2010-07-14 13:31:35 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-13 19:45:50 0 d-----w- c:\docume~1\wlaur\applic~1\D24DE017F1116641030C0B681B177EAD ==================== Find3M ==================== 2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll 2010-06-24 12:49:54 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys 2010-05-21 14:08:12 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-05-12 19:06:40 89088 ----a-w- c:\windows\system32\atl71.dll 2010-05-12 19:06:40 625032 ----a-w- c:\windows\system32\SymNeti.dll 2010-05-12 19:06:40 49480 ----a-w- c:\windows\system32\FwsVpn.dll 2010-05-12 19:06:40 357704 ----a-w- c:\windows\system32\sysfer.dll 2010-05-12 19:06:40 242056 ----a-w- c:\windows\system32\SymRedir.dll 2010-05-12 19:06:40 107848 ----a-w- c:\windows\system32\SymVPN.dll 2009-11-06 05:37:03 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat 2009-11-06 05:37:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat 2009-12-07 16:47:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120720091208\index.dat ============= FINISH: 13:02:02.27 ===============
-
Anyone?
-
Anyone have any ideas? I still can't seem to find what Symantec says is there.
-
Our Symantec keeps showing one of the computers in the office has backdoor.tidserv inf and will get more instances of it every few days. I can't seem to get rid of it or even find it with any other program. The users are all monitored by the server and this is a fairly new set up for me so I'm not sure if I'm missing something. Attached are the logs as per the instructions. DDS (Ver_10-03-17.01) - NTFSx86 Run by wlaur at 15:16:48.92 on Tue 07/27/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3549.2770 [GMT -4:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\SMINST\Scheduler.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\wlaur\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.bigcharts.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe mRun: [Recguard] c:\windows\sminst\Recguard.exe mRun: [Reminder] c:\windows\creator\Remind_XP.exe mRun: [scheduler] c:\windows\sminst\Scheduler.exe mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: //about.htm/ Trusted Zone: //Exclude.htm/ Trusted Zone: //FWEvent.htm/ Trusted Zone: //LanguageSelection.htm/ Trusted Zone: //Message.htm/ Trusted Zone: //MyAgttryCmd.htm/ Trusted Zone: //MyAgttryNag.htm/ Trusted Zone: //MyNotification.htm/ Trusted Zone: //NOCLessUpdate.htm/ Trusted Zone: //quarantine.htm/ Trusted Zone: //ScanNow.htm/ Trusted Zone: //strings.vbs/ Trusted Zone: //Template.htm/ Trusted Zone: //Update.htm/ Trusted Zone: //VirFound.htm/ Trusted Zone: mcafee.com\* Trusted Zone: mcafeeasap.com\betavscan Trusted Zone: mcafeeasap.com\vs Trusted Zone: mcafeeasap.com\www DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260213397109 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {5F70908A-A7ED-4646-AD68-104F9F180CAB} = 192.168.0.60,192.168.0.2 Notify: igfxcui - igfxdev.dll Hosts: 192.168.0.60 dells3 ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\wlaur\applic~1\mozilla\firefox\profiles\a834u01r.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-6 214024] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-12 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-5-12 108392] R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\ibm\sqllib\bin\db2mgmtsvc.exe [2006-7-11 35880] R2 DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1);c:\program files\ibm\sqllib\bin\db2sec.exe [2006-7-11 14376] R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-11-6 635416] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-5-12 2440632] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-11-6 243856] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100726.041\NAVENG.SYS [2010-7-27 85424] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100726.041\NAVEX15.SYS [2010-7-27 1362608] S2 0024321260216100mcinstcleanup;McAfee Application Installer Cleanup (0024321260216100);c:\docume~1\wlaur\locals~1\temp\002432~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\wlaur\locals~1\temp\002432~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-5-12 23888] S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-11-6 79816] S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-11-6 35272] S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-11-6 34248] =============== Created Last 30 ================ 2010-07-27 19:16:15 0 ----a-w- c:\documents and settings\wlaur\defogger_reenable 2010-07-22 16:04:26 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-07-22 16:04:10 0 d-----w- c:\program files\Hitman Pro 3.5 2010-07-22 16:04:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro 2010-07-15 12:41:39 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe 2010-07-14 13:31:35 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-13 19:45:50 0 d-----w- c:\docume~1\wlaur\applic~1\D24DE017F1116641030C0B681B177EAD ==================== Find3M ==================== 2010-06-24 12:49:54 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys 2010-05-21 14:08:12 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-05-12 19:06:40 89088 ----a-w- c:\windows\system32\atl71.dll 2010-05-12 19:06:40 625032 ----a-w- c:\windows\system32\SymNeti.dll 2010-05-12 19:06:40 49480 ----a-w- c:\windows\system32\FwsVpn.dll 2010-05-12 19:06:40 242056 ----a-w- c:\windows\system32\SymRedir.dll 2010-05-12 19:06:40 107848 ----a-w- c:\windows\system32\SymVPN.dll 2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys 2009-11-06 05:37:03 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat 2009-11-06 05:37:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat 2009-12-07 16:47:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120720091208\index.dat ============= FINISH: 15:16:55.63 =============== ark.zip
-
Sorry for the delay here is the log: Malwarebytes' Anti-Malware 1.44 Database version: 3677 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/4/2010 1:14:21 PM mbam-log-2010-02-04 (13-14-21).txt Scan type: Quick Scan Objects scanned: 141634 Time elapsed: 1 hour(s), 3 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
-
I actually retried something I thought I did before and changed the settings to auto detect and not use the proxy server in IE. Perhaps I did do it but the virus changed it back because I've seen that happen. In any case now I can update and IE works fine. I just finished running a full scan and it found two threats which it deleted.
-
I tried running the first part with Firefox, but it eventually opens an IE page that doesn't work. Here is the results of the checkup.txt: Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Symantec Endpoint Protection Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: Spybot - Search & Destroy HijackThis 2.0.2 Java 2 Runtime Environment Standard Edition v1.3.1_02 Java 6 Update 3 Java 2 Runtime Environment, SE v1.4.2_03 Out of date Java installed! Adobe Flash Player 10 Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Reader 8.1.2 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe `````````````````````````````` DNS Vulnerability Check: nslookup.exe missing! GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````
-
Internet Explorer keeps giving me cannot display web page when I open it. I can run it with Firefox though.
-
Here is the combo fix and hijackthis logs. Logs.zip
-
To clarify it did eventually start up, but since I told it to update when it opened it gave me that message and whenever I try to update in the application it gives me that message. I'm able to run the scan. I started a quick scan and it is showing that there are still objects infected.
-
Sorry for the late response the computer is at the office. I followed the instructions. When it tried to start up again it gave me Error code: 732 {12029, 0).
-
Using spybot I believe I was able to get rid of the virus, but I haven't been able to update malwarebytes to make sure. DDS files: DDS (Ver_09-12-01.01) - NTFSx86 Run by Administrator at 9:45:14.57 on Fri 01/22/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.502 [GMT -5:00] ============== Running Processes =============== C:\WINNT\system32\svchost -k DcomLaunch svchost.exe C:\WINNT\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINNT\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINNT\system32\basfipm.exe C:\Program Files\SQLLIB\bin\db2jds.exe C:\Program Files\SQLLIB\bin\db2sec.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\dla\tfswctrl.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe C:\WINNT\system32\taskmgr.exe C:\Program Files\Parallels\Parallels Tools\prl_cc.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uDefault_Page_URL = hxxp://www.dell.com uStart Page = hxxp://www.dell.com uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File mRun: [synchronization Manager] mobsync.exe /logon mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [dla] c:\winnt\system32\dla\tfswctrl.exe mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [Parallels Shared Internet Applications] "c:\program files\parallels\parallels tools\sia\SharedIntApp.exe" /start mRun: [Parallels Tools Center] "c:\program files\parallels\parallels tools\prl_cc.exe" mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll Trusted Zone: .psf DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwlc.ops.placeware.com/etc/place/LIMA/SCLpws-c2/5.1.7.413/lib/quicksilver.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38328.2524305556 DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TCP: {FE6A500E-99EB-46B2-8230-AD465DE3BC53} = 192.168.0.60 Notify: NavLogon - c:\winnt\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll SSODL: dowugibuz - {9ec42bd0-2fe3-4f68-9637-9ecded16f7fb} - c:\winnt\system32\latuyotu.dll SSODL: kayakarod - {a61b4ca3-b40f-4412-a487-e75b47b310d5} - c:\winnt\system32\sosilavu.dll STS: jugezatag: {9ec42bd0-2fe3-4f68-9637-9ecded16f7fb} - c:\winnt\system32\latuyotu.dll STS: tokatiluy: {a61b4ca3-b40f-4412-a487-e75b47b310d5} - c:\winnt\system32\sosilavu.dll LSA: Notification Packages = a.dll yiyidaju.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\y90v17zj.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 fasttrak;fasttrak;c:\winnt\system32\drivers\Fasttrak.sys [2001-4-26 64418] R0 mraid2k;mraid2k;c:\winnt\system32\drivers\MRAID2K.SYS [2001-6-8 17258] R0 prl_pv32;prl_pv32;c:\winnt\system32\drivers\prl_pv32.sys [2008-12-10 101704] R0 prl_tg;Parallels Tool Device;c:\winnt\system32\drivers\prl_tg.sys [2008-12-10 22728] R1 prl_boot;prl_boot;c:\winnt\system32\drivers\prl_boot.sys [2009-8-30 33608] R1 prl_fs;Parallels Shared Folders;c:\winnt\system32\drivers\prl_fs.sys [2008-11-22 148168] R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208] R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304] R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\parallels\parallels tools\services\coherence.exe [2009-8-30 27976] R2 Parallels Tools Service;Parallels Tools Service;c:\program files\parallels\parallels tools\services\prl_tools_service.exe [2009-8-30 138056] R2 prl_time;Parallels Time Synchronization Helper;c:\winnt\system32\drivers\prl_time.sys [2009-12-3 15560] R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091129.002\NAVENG.sys [2009-11-30 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091129.002\NAVEX15.sys [2009-11-30 1323568] R3 prl_eth5;Parallels Ethernet Adapter;c:\winnt\system32\drivers\prl_eth5.sys [2008-12-10 17864] R3 prl_mouf;Parallels Mouse Synchronization Device;c:\winnt\system32\drivers\prl_mouf.sys [2008-12-10 15432] R3 prl_va;Parallels Video Adapter;c:\winnt\system32\drivers\prl_vamp.sys [2008-12-10 19784] S2 SSIPDDP;SSIPDDP Parallel port device driver;c:\winnt\system32\drivers\SSIPDDP.SYS [2004-12-7 53248] S3 DB2ControlCenterServer;DB2 JDBC Applet Server - Control Center;c:\program files\sqllib\bin\db2ccs.exe [2004-12-7 156160] S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [1999-10-23 66591] S3 PCITG;PCITG;c:\winnt\system32\drivers\pcitg.sys [2007-12-28 15232] S3 prleth;Parallels Network Adapter;c:\winnt\system32\drivers\prleth.sys --> c:\winnt\system32\drivers\prleth.sys [?] S3 PrlMouse;Parallels Mouse Synchronization Tool;c:\winnt\system32\drivers\prlmouse.sys --> c:\winnt\system32\drivers\PrlMouse.sys [?] S3 PrlVideo;PrlVideo;c:\winnt\system32\drivers\prlvideo.sys --> c:\winnt\system32\drivers\PrlVideo.sys [?] S3 rootrepeal;rootrepeal;\??\c:\winnt\system32\drivers\rootrepeal.sys --> c:\winnt\system32\drivers\rootrepeal.sys [?] S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-12-2 50032] =============== Created Last 30 ================ 7051-02-23 02:36:15 6 ---ha-w- C:\rasmon.bin 7051-02-23 02:36:15 4 ---ha-w- C:\ddefact.bin 2010-01-22 14:43:46 0 ----a-w- c:\documents and settings\administrator\defogger_reenable 2010-01-21 19:32:16 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2010-01-21 19:31:44 0 d-----w- c:\docume~1\admini~1\applic~1\Parallels ==================== Find3M ==================== 2003-07-10 19:54:16 271 --sh--w- c:\program files\DESKTOP.INI 2003-07-10 19:54:16 21952 -c-ha-w- c:\program files\FOLDER.HTT 2009-07-27 12:10:16 1 --sha-w- c:\winnt\system32\zifutoro.dll 2009-07-10 11:46:35 32768 --sha-w- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071020090711\index.dat ============= FINISH: 9:46:09.42 =============== Attach.zip