Dheena

Hi, I have un-installed the combofix and also set the IE settings as instructed. Things seems to be fine. Thanks a Lot. you guys are doing a Great Job Thanks

Hi, I ran the ComboFix by dragging the CFScript File. I got an Error stating "Windows cannot access the Specified Device, Path, or File. You may not have the appropriate Permission to access the Item" - Please see attachment - Error_1 File. This Error popped up for more than 20 times and i had to keep Entering "OK" and then the combofix started. (Forgot to Mention, this happened even when i ran the comboFix earlier) After the re-boot, i got an output stating "ComboFix needs to submit Malware Files for further analysis, Please ensure you are connected to Internet before clicking OK" somehow the files were not being uploaded, as i got an message stating - "Webserver appears temporarily inaccessible. Manually upload C:\cf-Submit.htm Later" As per the C:\cf-Submit.htm, it stated me to upload "C:\Qoobox\Quarantine\[4]-Submit_2010-12-29_10.30.14.zip " File, which i did. But i am uploading all those files here too (cf-Submit.htm, [4]-Submit_2010-12-29_10.30.14.zip) And, Regarding the behaviour of my Computer. I dont see any unwanted sites opening for now. I dont see Links getting re-directed. Please find the output of the ComboxFix. *******************************************ComboxFix.log************************ ********************** ComboFix 10-12-28.02 - dsellago 12/29/2010 10:30:28.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.977 [GMT -6:00] Running from: c:\documents and settings\dsellago\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\dsellago\Desktop\CFScript.txt AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} FILE :: "c:\program files\ConduitEngine\ConduitEngine.dll" "c:\program files\Softonic-Eng7\tbSoft.dll" file zipped: c:\windows\Dmibua.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\ConduitEngine\ConduitEngine.dll c:\program files\Softonic-Eng7\tbSoft.dll c:\windows\Dmibua.exe c:\windows\system32\Oeminfo.ini . ((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 ))))))))))))))))))))))))))))))) . 2010-12-24 05:37 . 2010-12-24 05:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll 2010-12-24 05:37 . 2010-12-24 05:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll 2010-12-24 05:37 . 2010-12-24 05:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll 2010-12-24 05:37 . 2010-12-24 05:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll 2010-12-24 05:37 . 2010-12-24 05:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll 2010-12-24 05:37 . 2010-12-24 05:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll 2010-12-24 05:37 . 2010-12-24 05:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll 2010-12-24 05:36 . 2010-12-24 05:37 -------- d-----w- c:\program files\QuickTime 2010-12-24 05:36 . 2010-12-24 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-12-24 05:36 . 2010-12-24 05:36 -------- d-----w- c:\program files\Common Files\Apple 2010-12-24 05:36 . 2010-12-24 05:36 -------- d-----w- c:\documents and settings\dsellago\Local Settings\Application Data\Apple 2010-12-24 05:36 . 2010-12-24 05:36 -------- d-----w- c:\program files\Apple Software Update 2010-12-24 05:36 . 2010-12-24 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2010-12-24 05:36 . 2010-12-24 05:36 -------- d-----w- c:\documents and settings\dsellago\Local Settings\Application Data\Apple Computer 2010-12-24 05:09 . 2010-12-24 05:09 -------- d-----w- c:\program files\Common Files\Protexis 2010-12-24 05:08 . 2010-12-24 05:08 -------- d-----w- c:\program files\Corel 2010-12-24 05:08 . 2010-12-24 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel 2010-12-24 03:28 . 2010-12-24 03:28 -------- d-----w- c:\program files\FoxTabFlvPlayer 2010-12-21 14:53 . 2008-08-26 16:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys 2010-12-21 14:53 . 2010-12-21 14:53 -------- d-----w- c:\program files\PC Connectivity Solution 2010-12-21 14:53 . 2010-02-26 20:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys 2010-12-21 14:53 . 2010-02-26 20:32 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys 2010-12-21 14:53 . 2010-02-26 20:32 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll 2010-12-21 14:53 . 2010-02-26 20:32 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys 2010-12-21 14:53 . 2010-02-26 20:19 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll 2010-12-18 09:16 . 2010-12-18 09:16 -------- d-----w- c:\program files\Common Files\Adobe 2010-12-05 09:29 . 2010-12-05 09:29 -------- d-----w- c:\program files\YouTube Downloader 2010-12-03 23:52 . 2010-12-05 09:13 -------- d-----w- c:\documents and settings\dsellago\Local Settings\Application Data\NokiaAccount 2010-11-29 20:15 . 2003-08-07 20:01 237568 ----a-w- c:\windows\system32\lame_enc.dll 2010-11-29 20:15 . 2002-12-25 15:44 380928 ----a-w- c:\windows\system32\actskin4.ocx 2010-11-29 20:15 . 2010-11-29 20:15 -------- d-----w- c:\program files\AudioToolsFactory 2010-11-29 19:55 . 2010-11-29 19:56 -------- d-----w- c:\program files\VirtualDJ . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-25 14:50 . 2009-06-18 18:26 82696 ----a-w- c:\windows\system32\lmdimon8.dll 2010-10-25 14:50 . 2009-06-18 18:26 82184 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll . ((((((((((((((((((((((((((((( SnapShot@2010-12-29_05.27.39 ))))))))))))))))))))))))))))))))))))))))) . + 2010-12-29 16:57 . 2010-12-29 16:57 16384 c:\windows\temp\Perflib_Perfdata_250.dat + 2010-03-15 18:19 . 2010-12-29 16:59 229868 c:\windows\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "MsmqIntCert"="mqrt.dll" [2009-06-25 177152] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-06-09 82224] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168] "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-06-02 238984] "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-05-21 24848] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752] "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2008-05-14 61440] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-07-21 115560] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] c:\documents and settings\dsellago\Start Menu\Programs\Startup\ PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-21 333088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-12 576104] HP Sizing Tool Update Process.lnk - c:\hewlett-packard\ESS Sizers\Smart Update Process\Bin\HPSizingToolUpdateProcess.exe [2010-6-22 397312] VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-6-18 6144] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc] 2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock] 2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2008-05-21 00:42 111888 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\WINDOWS\\system32\\mstsc.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"= "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 9:24 PM 174600] R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 9:49 PM 15416] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5/30/2008 10:36 AM 108752] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5/30/2008 10:37 AM 51376] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5/30/2008 10:37 AM 12928] R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 4:14 AM 24064] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5/30/2008 10:37 AM 12496] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336] R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2008 4:11 PM 1176824] R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [6/2/2008 11:32 AM 18944] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5/30/2008 10:36 AM 256512] R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032] R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/21/2008 10:50 PM 193840] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 3:34 PM 102448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 1:16 PM 41216] S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 2:29 PM 475520] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/21/2010 9:31 AM 23888] S4 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 5:08 PM 182576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASBroker ASChannel HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = <local> DPF: iLO 2 Remote Console Applet - hxxps://163.181.160.28/dvc.cab DPF: iLO Remote Console Applet - hxxps://nodb1avsp01r/dvc.cab DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} - hxxp://netmon/SWToolset.exe . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-29 10:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe???????????????????????|?M?|?????M?|??@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1352) c:\windows\system32\ackpbsc.dll c:\windows\system32\aclog.dll c:\windows\system32\ACLIBEAY.dll c:\windows\system32\acevtsub.dll c:\windows\system32\asphat32.dll c:\windows\system32\acerrmes.dll c:\windows\system32\aspcom.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\program files\ActivIdentity\ActivClient\acunlock.dll c:\windows\system32\aipingui.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll - - - - - - - > 'explorer.exe'(6972) c:\windows\system32\WININET.dll c:\windows\system32\APSHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\ActivIdentity\ActivClient\acevents.exe c:\windows\system32\Ati2evxx.exe c:\windows\system32\msdtc.exe c:\windows\system32\agrsmsvc.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\program files\RealVNC\VNC4\WinVNC4.exe c:\windows\system32\mqsvc.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\mqtgsvc.exe c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\program files\ActivIdentity\ActivClient\acevents.exe c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\program files\Common Files\Java\Java Update\jucheck.exe c:\windows\System32\logon.scr . ************************************************************************** . Completion time: 2010-12-29 11:13:46 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-29 17:13 ComboFix2.txt 2010-12-29 05:32 ComboFix3.txt 2010-07-03 01:44 Pre-Run: 23,063,810,048 bytes free Post-Run: 23,023,202,304 bytes free - - End Of File - - 69250F6B98CEA4445768683D6E5E7E8C ******************************************************************************** ************** CF_Submit.htm _4__Submit_2010_12_29_10.30.14.zip

Hi, Today, when i clicked on Internet Links, at times they are getting re-directed automatically to some unknown/Advertisement/Travel sites. Also, New Advertisement/Games Webpages opens frequently. When i checked the Temporary Internet Files, i could see lot of unwanted files (probably) that i never surfed, please see attachment. I ran the Malwarebytes' Anti-Malware and Removed the infected files, but the issue seems to persist. I would like to make sure that my system's infections are clean and clear. ******************************* Malware Scan Logs ********************************* Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4236 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 12/28/2010 12:23:40 PM mbam-log-2010-12-28 (12-23-40).txt Scan type: Full scan (C:\|D:\|M:\|N:\|) Objects scanned: 310024 Time elapsed: 1 hour(s), 30 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\sshnas21.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\SwSetup\HPTools\PTHST_B3.400\Disk1\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\SwSetup\PTBIOS\Disk1\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sshnas21.dll (Trojan.FakeAlert) -> Delete on reboot. ******************************************************************************** ******* Thanks Dheena

Hi, Please find the Logs. ***************************************** F-Secure Online Scanner ******************************************* Scanning Report Monday, July 5, 2010 18:55:23 - 19:44:12 Computer name: CHNLDSELLAGO Scanning type: Scan system for malware, spyware and rootkits Target: C:\ D:\ M:\ N:\ -------------------------------------------------------------------------------- 11 malware found TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Adtech (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Xiti (spyware) System (Disinfected) TrackingCookie.Webtrends (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) -------------------------------------------------------------------------------- Statistics Scanned: Files: 81152 System: 4552 Not scanned: 14 Actions: Disinfected: 11 Renamed: 0 Deleted: 0 Not cleaned: 0 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\511A0F3F9E960FA97DE3D0B74ADFC574_F283576E-0471-42CE-8B95-169D98FB607B C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\949C6AE5506478ADE87D7537B287FACC_F283576E-0471-42CE-8B95-169D98FB607B C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\HSPERFDATA_ADMINISTRATOR\5400 C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\HSPERFDATA_ADMINISTRATOR\2792 C:\7392FFF5775CCEBFB79731D6\UPDATE\UPDATE.EXE C:\7392FFF5775CCEBFB79731D6\UPDATE\UPDSPAPI.DLL -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics ******************************************************************************** *********************************** *******************************************************Checkup.txt *************************************************** Results of screen317's Security Check version 0.99.4 Windows XP Service Pack 2 Out of date service pack!! Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled! Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HP Operations for UNIX Java Console Java 6 Update 18 Java 2 Runtime Environment, SE v1.4.2_09 HP JavaCard for HP ProtectTools Out of date Java installed! Adobe Flash Player Adobe Reader 9.1 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent Symantec Client Security Symantec AntiVirus DefWatch.exe Symantec Client Security Symantec AntiVirus Rtvscan.exe ADMINI~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe ADMINI~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe Symantec Client Security Symantec Client Firewall ISSVC.exe Symantec Client Security Symantec Client Firewall SymSPort.exe ADMINI~1 LOCALS~1 Temp fsonlinescanner.exe ```````````````````````````````` DNS Vulnerability Check: Unknown. This method cannot test your vulnerability to DNS cache poisoning. ``````````End of Log```````````` ******************************************************************************** ***************************

Chris, Please find the necessary Logs : ************************************************ TDSSKiller ******************************************************** 20:41:35:093 2444 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49 20:41:35:109 2444 ================================================================================ 20:41:35:109 2444 SystemInfo: 20:41:35:109 2444 OS Version: 5.1.2600 ServicePack: 2.0 20:41:35:109 2444 Product type: Workstation 20:41:35:109 2444 ComputerName: CHNLDSELLAGO 20:41:35:109 2444 UserName: Administrator 20:41:35:109 2444 Windows directory: C:\WINDOWS 20:41:35:109 2444 System windows directory: C:\WINDOWS 20:41:35:109 2444 Processor architecture: Intel x86 20:41:35:109 2444 Number of processors: 2 20:41:35:109 2444 Page size: 0x1000 20:41:35:109 2444 Boot type: Normal boot 20:41:35:109 2444 ================================================================================ 20:41:35:609 2444 Initialize success 20:41:35:609 2444 20:41:35:609 2444 Scanning Services ... 20:41:36:046 2444 Raw services enum returned 411 services 20:41:36:046 2444 20:41:36:062 2444 Scanning Drivers ... 20:41:36:781 2444 Accelerometer (a0baabb7d3549460e3f8c5ad6f778683) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys 20:41:36:843 2444 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 20:41:36:859 2444 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 20:41:36:921 2444 ADIHdAudAddService (ff60db2aca88543c025eacba25cee5c1) C:\WINDOWS\system32\drivers\ADIHdAud.sys 20:41:36:953 2444 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys 20:41:37:000 2444 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys 20:41:37:046 2444 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys 20:41:37:109 2444 AgereSoftModem (38325c6aa8eae011897d61ce48ec6435) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 20:41:37:187 2444 ahcix86 (15da079ff09be5fa6602041ee286de80) C:\WINDOWS\system32\DRIVERS\ahcix86.sys 20:41:37:218 2444 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 20:41:37:265 2444 Amddfltr (c26488bfb5278b3d357f99d3bbc790c9) C:\WINDOWS\system32\DRIVERS\Amddfltr.sys 20:41:37:312 2444 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 20:41:37:359 2444 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 20:41:37:500 2444 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 20:41:37:546 2444 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys 20:41:37:656 2444 ati2mtag (bc1030fa3b251b3915d6076018586f92) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 20:41:37:812 2444 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 20:41:37:875 2444 ATSwpWDF (a9f9d1d24441889beb1aa2b917457e23) C:\WINDOWS\system32\Drivers\ATSwpWDF.sys 20:41:37:937 2444 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 20:41:37:968 2444 b57w2k (a9d0f6efc61d1ff69b55c495f85dd868) C:\WINDOWS\system32\DRIVERS\b57xp32.sys 20:41:38:015 2444 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 20:41:38:078 2444 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 20:41:38:125 2444 btaudio (5bcf6090b825def29065bdbd59691dbe) C:\WINDOWS\system32\drivers\btaudio.sys 20:41:38:250 2444 BTDriver (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys 20:41:38:343 2444 BTKRNL (ef5e0de0a7ca2977a9255f36f4d915ab) C:\WINDOWS\system32\DRIVERS\btkrnl.sys 20:41:38:406 2444 btwhid (e48668b4a6a5cf68b33aecad18ee8e1e) C:\WINDOWS\system32\DRIVERS\btwhid.sys 20:41:38:453 2444 BTWUSB (053dc5be74621b63bb48c2b86bafc7b0) C:\WINDOWS\system32\Drivers\btwusb.sys 20:41:38:500 2444 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 20:41:38:546 2444 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 20:41:38:656 2444 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 20:41:38:703 2444 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 20:41:38:765 2444 Cdrom (882b4257e5a5adfb6b5c03e8a02d4bf1) C:\WINDOWS\system32\DRIVERS\cdrom.sys 20:41:38:796 2444 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 20:41:38:859 2444 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys 20:41:38:906 2444 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys 20:41:38:953 2444 CVPNDRVA (720482888c3778f26eeb83d286a6cdc3) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 20:41:39:015 2444 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 20:41:39:078 2444 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 20:41:39:156 2444 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 20:41:39:203 2444 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 20:41:39:312 2444 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 20:41:39:390 2444 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys 20:41:39:437 2444 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 20:41:39:531 2444 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 20:41:39:593 2444 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 20:41:39:640 2444 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 20:41:39:765 2444 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys 20:41:39:812 2444 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 20:41:39:843 2444 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20:41:39:890 2444 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 20:41:39:937 2444 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 20:41:39:968 2444 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 20:41:40:000 2444 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 20:41:40:062 2444 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys 20:41:40:093 2444 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 20:41:40:171 2444 hpdskflt (9f620e11b80b74f4dab50a81a5df357f) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys 20:41:40:406 2444 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys 20:41:40:500 2444 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys 20:41:40:562 2444 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 20:41:40:593 2444 IFXTPM (667cfdb801df771f47b7c39373c2d850) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS 20:41:40:656 2444 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 20:41:40:687 2444 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys 20:41:40:734 2444 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 20:41:40:843 2444 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 20:41:40:890 2444 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 20:41:40:921 2444 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys 20:41:40:984 2444 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 20:41:41:015 2444 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 20:41:41:062 2444 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 20:41:41:093 2444 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 20:41:41:140 2444 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 20:41:41:187 2444 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys 20:41:41:218 2444 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys 20:41:41:265 2444 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys 20:41:41:312 2444 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 20:41:41:343 2444 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 20:41:41:406 2444 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 20:41:41:421 2444 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 20:41:41:468 2444 MQAC (eee50bf24caeedb515a8f3b22756d3bb) C:\WINDOWS\system32\drivers\mqac.sys 20:41:41:578 2444 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 20:41:41:625 2444 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 20:41:41:687 2444 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 20:41:41:718 2444 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 20:41:41:750 2444 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 20:41:41:781 2444 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 20:41:41:812 2444 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 20:41:41:859 2444 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys 20:41:41:875 2444 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 20:41:41:906 2444 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 20:41:42:015 2444 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100703.003\naveng.sys 20:41:42:062 2444 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100703.003\navex15.sys 20:41:42:187 2444 NDIS (aa898f84d2b59129fb92e143a2c73434) C:\WINDOWS\system32\drivers\NDIS.sys 20:41:42:234 2444 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 20:41:42:281 2444 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 20:41:42:328 2444 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 20:41:42:343 2444 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 20:41:42:375 2444 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 20:41:42:421 2444 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 20:41:42:468 2444 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 20:41:42:500 2444 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys 20:41:42:546 2444 nmwcd (c3963d85b721a7f80d8a55f4e2867a3a) C:\WINDOWS\system32\drivers\ccdcmb.sys 20:41:42:562 2444 nmwcdc (3859c69a77793180548802dac9f34a38) C:\WINDOWS\system32\drivers\ccdcmbo.sys 20:41:42:593 2444 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 20:41:42:625 2444 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys 20:41:42:718 2444 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 20:41:42:765 2444 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 20:41:42:796 2444 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 20:41:42:812 2444 ohci1394 (197ddf60b254a84d8656850397b5f923) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 20:41:42:859 2444 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys 20:41:42:875 2444 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 20:41:42:906 2444 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 20:41:42:953 2444 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys 20:41:42:968 2444 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys 20:41:43:000 2444 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 20:41:43:031 2444 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys 20:41:43:093 2444 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 20:41:43:156 2444 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys 20:41:43:171 2444 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys 20:41:43:203 2444 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 20:41:43:265 2444 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 20:41:43:296 2444 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys 20:41:43:328 2444 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 20:41:43:406 2444 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 20:41:43:437 2444 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 20:41:43:468 2444 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys 20:41:43:500 2444 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 20:41:43:515 2444 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 20:41:43:562 2444 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys 20:41:43:609 2444 redbook (7babb669731fc537e50d707a6d16e848) C:\WINDOWS\system32\DRIVERS\redbook.sys 20:41:43:656 2444 RMCAST (d18208ed6c768663b08c972eaa7a8b60) C:\WINDOWS\system32\drivers\RMCast.sys 20:41:43:687 2444 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys 20:41:43:703 2444 RsvLock (07b7213ba5d87f19bc9f1dd3dd2619f2) C:\WINDOWS\system32\drivers\RsvLock.sys 20:41:43:734 2444 SafeBoot (fbd8bfd3faf7691f1f1053270af176d6) C:\WINDOWS\system32\drivers\SafeBoot.sys 20:41:43:734 2444 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\SafeBoot.sys. md5: fbd8bfd3faf7691f1f1053270af176d6 20:41:43:796 2444 SAVRT (2861c841b03def48402e63277d9cac22) C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys 20:41:43:859 2444 SAVRTPEL (54484c13e4d9b268c66d59e9ccb570e6) C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys 20:41:43:937 2444 SbAlg (7852168088eb0022a37d0217788ab639) C:\WINDOWS\system32\drivers\SbAlg.sys 20:41:44:000 2444 SbFsLock (f80c0ce3d911b35d6ffe0bd8af608ce6) C:\WINDOWS\system32\drivers\SbFsLock.sys 20:41:44:062 2444 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys 20:41:44:125 2444 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys 20:41:44:140 2444 Serial (d4c04ddc151290e749eb83c3d123fdb2) C:\WINDOWS\system32\DRIVERS\serial.sys 20:41:44:140 2444 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: d4c04ddc151290e749eb83c3d123fdb2, Fake md5: cd9404d115a00d249f70a371b46d5a26 20:41:44:140 2444 File "C:\WINDOWS\system32\DRIVERS\serial.sys" infected by TDSS rootkit ... 20:41:46:171 2444 Backup copy found, using it.. 20:41:46:203 2444 will be cured on next reboot 20:41:46:359 2444 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys 20:41:46:406 2444 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 20:41:46:468 2444 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys 20:41:46:500 2444 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys 20:41:46:578 2444 SNP2UVC (cf9cde12fbc19dba8de528b7511a2f4f) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys 20:41:46:687 2444 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 20:41:46:828 2444 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys 20:41:46:843 2444 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 20:41:46:890 2444 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys 20:41:46:937 2444 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 20:41:46:968 2444 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 20:41:47:000 2444 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 20:41:47:046 2444 SYMDNS (a2aded37cee0dbe61eb63b9a71717b96) C:\WINDOWS\System32\Drivers\SYMDNS.SYS 20:41:47:093 2444 SymEvent (c5eafb6a8c73fb26b73ee613c1a5aef6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 20:41:47:140 2444 SYMFW (e831a68aaab821800ea60271472701c6) C:\WINDOWS\System32\Drivers\SYMFW.SYS 20:41:47:203 2444 SYMIDS (49a3583f21f6e76ae31da745fab77563) C:\WINDOWS\System32\Drivers\SYMIDS.SYS 20:41:47:343 2444 SYMIDSCO (14316306984f8ae6b6090b29a5f097b6) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20100630.002\symidsco.sys 20:41:47:484 2444 SYMNDIS (2b7224f4ad9c9b8c6025af8934130652) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS 20:41:47:531 2444 SYMREDRV (5f9055055dc4900f74fb690b61448be4) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 20:41:47:578 2444 SYMTDI (5561a9d2d1b6529a95cbbffaed7791c1) C:\WINDOWS\System32\Drivers\SYMTDI.SYS 20:41:47:656 2444 SynTP (926e0bb4cac05d9a0c3b59dc16fe2f1c) C:\WINDOWS\system32\DRIVERS\SynTP.sys 20:41:47:718 2444 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 20:41:47:781 2444 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys 20:41:47:828 2444 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 20:41:47:875 2444 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 20:41:47:984 2444 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 20:41:48:031 2444 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys 20:41:48:093 2444 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys 20:41:48:156 2444 upperdev (0ccadc7391021376edbb8aa649d04e68) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys 20:41:48:218 2444 usbehci (4ffaea1bd071a72dfb76519f5b1da956) C:\WINDOWS\system32\DRIVERS\usbehci.sys 20:41:48:265 2444 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 20:41:48:296 2444 usbohci (cf6a92832cefec2118d5913816acbf44) C:\WINDOWS\system32\DRIVERS\usbohci.sys 20:41:48:359 2444 usbser (6c0d0803102808d528ab9d38747c6f73) C:\WINDOWS\system32\drivers\usbser.sys 20:41:48:406 2444 UsbserFilt (68b4f83cccf70a2ff32ee142c234332a) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys 20:41:48:437 2444 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 20:41:48:500 2444 usbuhci (1590742573fcafdd9c837478eb1846a4) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20:41:48:531 2444 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 20:41:48:562 2444 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys 20:41:48:656 2444 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 20:41:48:750 2444 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys 20:41:48:859 2444 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 20:41:48:937 2444 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 20:41:49:078 2444 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys 20:41:49:140 2444 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 20:41:49:187 2444 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 20:41:49:234 2444 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 20:41:49:281 2444 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 20:41:49:343 2444 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 20:41:49:375 2444 Reboot required for cure complete.. 20:41:49:750 2444 Cure on reboot scheduled successfully 20:41:49:750 2444 20:41:49:750 2444 Completed 20:41:49:750 2444 20:41:49:750 2444 Results: 20:41:49:750 2444 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 20:41:49:750 2444 File objects infected / cured / cured on reboot: 1 / 0 / 1 20:41:49:750 2444 20:41:49:765 2444 KLMD(ARK) unloaded successfully ******************************************************************************** ************************************** **************************************************** SYScut *********************************************************** File SySCut.dat received on 2010.07.03 15:32:58 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/40 (0%) Loading server information... Your file is queued in position: ___. Estimated start time is between ___ and ___ . Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 5.0.0.31 2010.07.03 - AhnLab-V3 2010.07.03.00 2010.07.03 - AntiVir 8.2.4.2 2010.07.02 - Antiy-AVL 2.0.3.7 2010.07.02 - Authentium 5.2.0.5 2010.07.03 - Avast 4.8.1351.0 2010.07.03 - Avast5 5.0.332.0 2010.07.03 - AVG 9.0.0.836 2010.07.03 - BitDefender 7.2 2010.07.03 - CAT-QuickHeal 11.00 2010.06.30 - ClamAV 0.96.0.3-git 2010.07.03 - Comodo 5302 2010.07.03 - DrWeb 5.0.2.03300 2010.07.03 - eSafe 7.0.17.0 2010.06.30 - eTrust-Vet 36.1.7684 2010.07.03 - F-Prot 4.6.1.107 2010.07.02 - F-Secure 9.0.15370.0 2010.07.03 - Fortinet 4.1.133.0 2010.07.03 - GData 21 2010.07.03 - Ikarus T3.1.1.84.0 2010.07.03 - Jiangmin 13.0.900 2010.07.03 - Kaspersky 7.0.0.125 2010.07.03 - McAfee 5.400.0.1158 2010.07.03 - McAfee-GW-Edition 2010.1 2010.07.02 - Microsoft 1.5902 2010.07.03 - NOD32 5248 2010.07.03 - Norman 6.05.10 2010.07.03 - nProtect 2010-07-03.02 2010.07.03 - Panda 10.0.2.7 2010.07.03 - Prevx 3.0 2010.07.03 - Rising 22.54.04.04 2010.07.02 - Sophos 4.54.0 2010.07.03 - Sunbelt 6540 2010.07.03 - Symantec 20101.1.0.89 2010.07.03 - TheHacker 6.5.2.1.307 2010.07.01 - TrendMicro 9.120.0.1004 2010.07.03 - TrendMicro-HouseCall 9.120.0.1004 2010.07.03 - VBA32 3.12.12.5 2010.07.02 - ViRobot 2010.7.3.3920 2010.07.03 - VirusBuster 5.0.27.0 2010.07.02 - Additional information File size: 5 bytes MD5...: 2cdcbccac92b353969bb2e447ce47fef SHA1..: a5836d8a2228bb61a297c32ab3150d31efcd83b8 SHA256: b45482224b439a3d548c65378929b7dcc16a42288530b7b20d5c8103cc879d10 ssdeep: 3:T:T PEiD..: - PEInfo: - RDS...: NSRL Reference Data Set - pdfid.: - trid..: Unknown! sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned ******************************************************************************** ********************************** ********************************************************* affv11300p2now ******************************************* File affv11300p2now.sys received on 2010.07.03 15:57:58 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/41 (0%) Loading server information... Your file is queued in position: 1. Estimated start time is between 40 and 57 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 5.0.0.31 2010.07.03 - AhnLab-V3 2010.07.03.00 2010.07.03 - AntiVir 8.2.4.2 2010.07.02 - Antiy-AVL 2.0.3.7 2010.07.02 - Authentium 5.2.0.5 2010.07.03 - Avast 4.8.1351.0 2010.07.03 - Avast5 5.0.332.0 2010.07.03 - AVG 9.0.0.836 2010.07.03 - BitDefender 7.2 2010.07.03 - CAT-QuickHeal 11.00 2010.06.30 - ClamAV 0.96.0.3-git 2010.07.03 - Comodo 5303 2010.07.03 - DrWeb 5.0.2.03300 2010.07.03 - eSafe 7.0.17.0 2010.06.30 - eTrust-Vet 36.1.7684 2010.07.03 - F-Prot 4.6.1.107 2010.07.02 - F-Secure 9.0.15370.0 2010.07.03 - Fortinet 4.1.133.0 2010.07.03 - GData 21 2010.07.03 - Ikarus T3.1.1.84.0 2010.07.03 - Jiangmin 13.0.900 2010.07.03 - Kaspersky 7.0.0.125 2010.07.03 - McAfee 5.400.0.1158 2010.07.03 - McAfee-GW-Edition 2010.1 2010.07.02 - Microsoft 1.5902 2010.07.03 - NOD32 5248 2010.07.03 - Norman 6.05.10 2010.07.03 - nProtect 2010-07-03.02 2010.07.03 - Panda 10.0.2.7 2010.07.03 - PCTools 7.0.3.5 2010.07.02 - Prevx 3.0 2010.07.03 - Rising 22.54.04.04 2010.07.02 - Sophos 4.54.0 2010.07.03 - Sunbelt 6540 2010.07.03 - Symantec 20101.1.0.89 2010.07.03 - TheHacker 6.5.2.1.307 2010.07.01 - TrendMicro 9.120.0.1004 2010.07.03 - TrendMicro-HouseCall 9.120.0.1004 2010.07.03 - VBA32 3.12.12.5 2010.07.02 - ViRobot 2010.7.3.3920 2010.07.03 - VirusBuster 5.0.27.0 2010.07.02 - Additional information File size: 3082 bytes MD5...: cfd258adfebca0daa581f5dcddeb8dfa SHA1..: 5aa5dd557d0ea0fc83d2866db4927c2d908f1679 SHA256: 21760a8f682dab6088bc6b221f4308c02f6f280665b379a7da112c2f646deb1c ssdeep: 3:g/llN1KJS4QiLd9ETMCOEx+DJWAXK:gCc4QiZErx+FWy PEiD..: - PEInfo: - RDS...: NSRL Reference Data Set - trid..: OpenGL object (32.1%) Lotus 123 Worksheet (generic) (16.1%) Game Music Creator Music (9.0%) MacBinary 1 header (8.2%) Targa bitmap (Original TGA Format - No Image ID) (8.0%) pdfid.: - sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned ******************************************************************************** *************************************

Hi Chris, This time it worked. I ran the combofix in the SafeMode Please find the Combofix log in the attachment. Also, here are the New DDS Logs. ********************************************* DDS ************************************************************** DDS (Ver_10-03-17.01) - NTFSx86 Run by Administrator at 20:55:16.50 on Fri 07/02/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1789.857 [GMT -5:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187} ============== Running Processes =============== C:\WINDOWS\System32\svchost.exe -k Cognizance c:\Program Files\Fingerprint Sensor\AtService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe C:\WINDOWS\system32\agrsmsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\AccelerometerSt.Exe C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe c:\Program Files\ActivIdentity\ActivClient\acevents.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\mqtgsvc.exe c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [MsmqIntCert] regsvr32 /s mqrt.dll mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe" mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup mRun: [NokiaMusic FastStart] "c:\program files\nokia\ovi player\NokiaOviPlayer.exe" /command:faststart mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: iLO Remote Console Applet - hxxps://nodb1avsp01r/dvc.cab DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - hxxp://ausb3rmwp01/arsys/apps/shared DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} - hxxp://netmon/SWToolset.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://hp.webex.com/client/T26L/webex/ieatgpc.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: ackpbsc - c:\windows\system32\ackpbsc.dll Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll AppInit_DLLs: APSHook.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ ==================== Find3M ==================== ============= FINISH: 20:56:41.56 =============== ******************************************************************************** ****************************** *********************************************** Attach ******************************************************** UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 7/1/2009 1:31:00 PM System Uptime: 7/2/2010 8:48:47 PM (0 hours ago) Motherboard: Hewlett-Packard | | 30E3 Processor: AMD AthlonX2 DualCore QL-60 | Unknown | 1900/200mhz Processor: AMD AthlonX2 DualCore QL-60 | Unknown | 1900/200mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 48 GiB total, 20.933 GiB free. D: is FIXED (NTFS) - 50 GiB total, 32.865 GiB free. E: is CDROM () M: is FIXED (NTFS) - 25 GiB total, 17.051 GiB free. N: is FIXED (NTFS) - 26 GiB total, 15.397 GiB free. ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\1122335555667799 Manufacturer: Microsoft Name: 1394 Net Adapter PNP Device ID: V1394\NIC1394\1122335555667799 Service: NIC1394 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: 5800 XpressMusic Device ID: ROOT\WPD\0000 Manufacturer: Nokia Name: 5800 XpressMusic PNP Device ID: ROOT\WPD\0000 Service: WUDFRd ==== System Restore Points =================== RP239: 4/27/2010 9:41:01 PM - Installed PrimalScript 2009 RP240: 4/29/2010 11:20:31 AM - System Checkpoint RP241: 4/30/2010 11:30:47 AM - System Checkpoint RP242: 5/2/2010 5:54:10 AM - System Checkpoint RP243: 5/3/2010 10:46:08 AM - System Checkpoint RP244: 5/4/2010 11:26:55 AM - System Checkpoint RP245: 5/4/2010 10:23:07 PM - Installed WMI Tools RP246: 5/6/2010 8:58:15 AM - System Checkpoint RP247: 5/7/2010 9:15:00 AM - System Checkpoint RP248: 5/9/2010 6:09:00 AM - System Checkpoint RP249: 5/10/2010 10:17:25 AM - System Checkpoint RP250: 5/11/2010 11:17:41 AM - System Checkpoint RP251: 5/12/2010 11:47:44 AM - System Checkpoint RP252: 5/13/2010 11:53:11 AM - System Checkpoint RP253: 5/15/2010 5:44:00 AM - System Checkpoint RP254: 5/15/2010 10:16:24 AM - Software Distribution Service 3.0 RP255: 5/17/2010 11:28:07 AM - System Checkpoint RP256: 5/18/2010 12:40:12 PM - System Checkpoint RP257: 5/19/2010 8:52:25 PM - System Checkpoint RP258: 5/19/2010 9:07:16 PM - Installed ActivePerl 5.10.1 Build 1007 RP259: 5/21/2010 10:55:49 AM - System Checkpoint RP260: 5/24/2010 11:35:20 AM - System Checkpoint RP261: 5/25/2010 1:04:33 PM - System Checkpoint RP262: 5/26/2010 1:17:24 PM - System Checkpoint RP263: 5/26/2010 8:15:24 PM - Removed Nokia Software Updater. RP264: 5/26/2010 8:16:33 PM - Removed Nokia Connectivity Cable Driver RP265: 5/26/2010 8:17:36 PM - Removed PC Connectivity Solution RP266: 5/26/2010 10:15:59 PM - Software Distribution Service 3.0 RP267: 5/28/2010 11:23:18 AM - System Checkpoint RP268: 5/29/2010 11:57:41 AM - System Checkpoint RP269: 5/31/2010 8:31:08 AM - System Checkpoint RP270: 6/1/2010 11:34:31 AM - System Checkpoint RP271: 6/2/2010 11:40:53 AM - System Checkpoint RP272: 6/3/2010 1:28:35 PM - System Checkpoint RP273: 6/5/2010 3:43:01 PM - System Checkpoint RP274: 6/9/2010 11:22:30 AM - System Checkpoint RP275: 6/10/2010 11:30:09 AM - System Checkpoint RP276: 6/11/2010 12:11:59 PM - System Checkpoint RP277: 6/14/2010 11:46:27 AM - System Checkpoint RP278: 6/14/2010 1:17:28 PM - Installed Adobe Flash Player 10 ActiveX. RP279: 6/15/2010 3:51:47 PM - System Checkpoint RP280: 6/17/2010 12:00:59 PM - System Checkpoint RP281: 6/18/2010 12:05:20 PM - System Checkpoint RP282: 6/21/2010 11:57:55 AM - System Checkpoint RP283: 6/21/2010 9:44:54 PM - Software Distribution Service 3.0 RP284: 6/22/2010 9:45:47 PM - Software Distribution Service 3.0 RP285: 6/24/2010 11:30:10 AM - System Checkpoint RP286: 6/25/2010 9:45:10 AM - Installed Windows 7 Upgrade Advisor RP287: 6/28/2010 9:48:19 AM - System Checkpoint RP288: 6/29/2010 10:40:37 AM - System Checkpoint RP289: 6/30/2010 12:14:24 PM - System Checkpoint RP290: 7/1/2010 12:37:35 PM - System Checkpoint RP291: 7/2/2010 3:58:37 PM - System Checkpoint ==== Installed Programs ====================== ==== Event Viewer Messages From Past Week ======== ==== End Of File =========================== ******************************************************************************** ************************** ComboFix.zip

Hi Chris, As suggested, i performed the mentioned steps. But again, the combofix stays up at the page - "Scanning for infected Files". It stays there for more than 30 mins and i had to do a hard re-boot. do we have any other option available here? Thanks Dheena

Hey, I ran the combofix twice, first time it kept running for 4.5 hours, which i had to close abruptly. Re-booted the Machine and ran again for 7 hours, this time also it kept running and has to close it. Both the instances, the firewall (All symantec services) were disabled and the combofix was stuck in the page that shows "Scanning for infected Files ..., Typically doesn't take more than 10 mins ." . Do we have any other options, Am i on the right path ? -Dheena

Hello, Whenever i open IE, within seconds - symantec detects intrusions and blocks the IE Traffic. Also when i click on the Google search results, it automatically gets re-directedly to some un-known web-pages and within few second the Internet Traffic gets disconnected. I need to wait for 30mins or add the intrusion IP to symantec Exclude List to browse Internet. I ran the Malwarebytes' Anti-Malware and Removed the infected files, but the issue still persists. Please help to fix this issue. Thanks ******************************** Malwarebytes' Anti-Malware 1.46 *************************** Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4236 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.13 6/24/2010 10:00:48 PM mbam-log-2010-06-24 (22-00-48).txt Scan type: Quick scan Objects scanned: 148657 Time elapsed: 10 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[system] (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ****************************************************************************** ***************************** DDS.txt ****************************************** DDS (Ver_10-03-17.01) - NTFSx86 Run by Administrator at 22:49:22.87 on Thu 06/24/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1789.809 [GMT -5:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187} ============== Running Processes =============== C:\WINDOWS\System32\svchost.exe -k Cognizance c:\Program Files\Fingerprint Sensor\AtService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\agrsmsvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe C:\WINDOWS\system32\AccelerometerSt.Exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE c:\Program Files\ActivIdentity\ActivClient\acevents.exe C:\WINDOWS\system32\mnmsrvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" uRun: [PC Suite Tray] "n:\nokia 5800\programfiles\nokia pc suite 7\PCSuite.exe" -onlytray mRun: [MsmqIntCert] regsvr32 /s mqrt.dll mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe" mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup mRun: [NokiaMusic FastStart] "c:\program files\nokia\ovi player\NokiaOviPlayer.exe" /command:faststart mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRunOnce: [!CleanupNetMeetingDispDriver] "c:\windows\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0 StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: iLO Remote Console Applet - hxxps://nodb1avsp01r/dvc.cab DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - hxxp://ausb3rmwp01/arsys/apps/shared DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} - hxxp://netmon/SWToolset.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://hp.webex.com/client/T26L/webex/ieatgpc.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: ackpbsc - c:\windows\system32\ackpbsc.dll Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll AppInit_DLLs: c:\windows\system32\APSHook.dll APSHook.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Notification Packages = scecli ASWLNPkg ============= SERVICES / DRIVERS =============== R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-6-21 174600] R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2008-6-21 15416] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-5-30 108752] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-5-30 51376] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-5-30 12928] R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-5-30 12496] R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2008-5-28 337280] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2008-5-28 54656] R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336] R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336] R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-15 1176824] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848] R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2008-6-24 202088] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320] R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2008-6-2 18944] R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-5-30 256512] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2008-9-30 1956792] R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-21 193840] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-4 41216] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100624.002\naveng.sys [2010-6-24 85552] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100624.002\navex15.sys [2010-6-24 1347504] S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-15 475520] S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2008-9-30 116664] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952] S4 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576] =============== Created Last 30 ================ 2010-06-25 03:41:49 0 ----a-w- c:\documents and settings\administrator\defogger_reenable 2010-06-25 02:46:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-25 02:46:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-06-25 02:46:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-25 02:46:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-06 10:52:55 58 ----a-w- c:\windows\Audiocut.ini 2010-06-06 10:49:57 5 ----a-w- c:\windows\system32\SySCut.dat 2010-06-06 10:49:41 3082 ----a-w- c:\windows\system32\affv11300p2now.sys 2010-05-27 01:18:08 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys 2010-05-27 01:17:57 0 d-----w- c:\program files\PC Connectivity Solution 2010-05-27 01:17:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys 2010-05-27 01:17:12 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys 2010-05-27 01:17:10 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys 2010-05-27 01:17:08 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll 2010-05-27 01:17:08 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys 2010-05-27 01:17:08 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll ==================== Find3M ==================== 2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe 2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\dllcache\win32k.sys 2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll 2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe 2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll 2010-04-06 09:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll ============= FINISH: 22:50:49.28 =============== ark.zip

Hello, Whenever i open IE, within seconds - symantec detects intrusions and blocks the IE Traffic. Also when i click on the Google search results, it automatically gets re-directedly to some un-known web-pages and within second the Internet Traffic gets disconnected. I have attached the Symantec's Log Viewer. Please help me to resolve this issue. Thanks