Jump to content

vrp14

Members
 View Profile  See their activity

  • Posts

    17

  • Joined

  • Last visited

Reputation

0 Neutral
  1. vrp14
    I see by looking around that I am not the only one with this problem. My husband picked this up on Saturday night sometime. I am unable to open or run anything on the infected computer. It even follows me to safe mode and won't allow me to do anything. Luckily I just fixed my brothers computer to be able to have a clean computer to use a flash drvie and communicate with. Any help you can give would be appreciated. Val
  2. vrp14
    THank you, this has rid me of those last two items. Thanks, Val
  3. vrp14
    Hello, I am cleaning up my brother's computer and have gotten down to these last two things that I can't get rid of without some help. Any light you can shed on this would be appreciated. Val Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6480 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 4/30/2011 9:02:50 PM mbam-log-2011-04-30 (21-02-50).txt Scan type: Quick scan Objects scanned: 133361 Time elapsed: 3 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) . DDS (Ver_11-03-05.01) - NTFSx86 Run by Jason Perez at 21:26:51.95 on Sat 04/30/2011 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.612 [GMT -4:00] . AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IDT\WDM\STacSV.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\sttray.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\IDT\WDM\sttray.exe C:\WINDOWS\system32\AESTFltr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Documents and Settings\Jason Perez\Desktop\dds.com . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.Yahoo.com uDefault_Page_URL = hxxp://www.Yahoo.com mDefault_Page_URL = hxxp://www.Yahoo.com BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Jason Perez] c:\documents and settings\jason perez\Jason Perez.exe /i mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [iDTSysTrayApp] sttray.exe mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-30 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-30 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-30 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-30 61960] R2 viewpoint manager service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-9 24652] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-19 112128] S1 607eaf00;607eaf00;c:\windows\system32\drivers\607eaf00.sys --> c:\windows\system32\drivers\607eaf00.sys [?] . =============== Created Last 30 ================ . 2011-05-01 01:16:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-05-01 01:16:47 -------- d-----w- c:\program files\Avira 2011-05-01 01:16:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-30 00:41:37 -------- d-----w- c:\docume~1\jasonp~1\applic~1\Malwarebytes 2011-04-30 00:31:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-04-30 00:31:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-04-30 00:31:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-04-30 00:31:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-04-30 00:19:05 -------- d-----w- c:\docume~1\jasonp~1\locals~1\applic~1\Viewpoint 2011-04-03 03:50:09 -------- d-----w- c:\program files\common files\Viewpoint . ==================== Find3M ==================== . . ============= FINISH: 21:27:55.85 =============== ark.zip Attach.zip
  4. vrp14
    Everything seems to be great! I haven't encountered any of the problems I started with. Thank you soooooo much.
  5. vrp14
    All processes killed ========== PROCESSES ========== ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== ========== FILES ========== C:\Documents and Settings\dooley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-72b34e45.zip moved successfully. C:\Documents and Settings\dooleyk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-72b34e45.zip moved successfully. File/Folder C:\DOCUME~1\dooleyk\LOCALS~1\Temp\mxYgoIBYas.exe not found. File/Folder C:\DOCUME~1\dooleyk\LOCALS~1\Temp\2828156.exe not found. < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\dooleyk\Desktop\cmd.bat deleted successfully. C:\Documents and Settings\dooleyk\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYTEMP] User: admin ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 348 bytes User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 781403 bytes ->Flash cache emptied: 782 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: dooley ->Temp folder emptied: 133515208 bytes ->Temporary Internet Files folder emptied: 240856692 bytes ->Java cache emptied: 67631018 bytes ->Flash cache emptied: 133370 bytes User: dooleyk ->Temp folder emptied: 110679998 bytes ->Temporary Internet Files folder emptied: 5678529 bytes ->Java cache emptied: 180295787 bytes ->FireFox cache emptied: 99323223 bytes ->Flash cache emptied: 3154523 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 735582 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 3903160 bytes %systemroot%\System32 .tmp files removed: 2577 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 483 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 808.00 mb Restore point Set: OTM Restore Point (0) OTM by OldTimer - Version 3.1.17.2 log created on 11152010_133659 Files moved on Reboot... Registry entries deleted on Reboot...
  6. vrp14
    ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=591dcf248e7bbd49ab1c4603dea0e81a # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-11-15 12:47:34 # local_time=2010-11-14 07:47:34 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # compatibility_mode=8449 16775129 100 99 2226204 91338812 2287591 0 # scanned=189406 # found=15 # cleaned=0 # scan_time=9624 C:\Documents and Settings\dooley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-72b34e45.zip probably a variant of Win32/Agent.HYOTECU trojan 00000000000000000000000000000000 I C:\Documents and Settings\dooleyk\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-72b34e45.zip probably a variant of Win32/Agent.HYOTECU trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\dooleyk\Application Data\Microsoft\svchost.exe.vir a variant of Win32/Kryptik.ICX trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\Documents and Settings\dooleyk\Application Data\Microsoft\Windows\shell.exe.vir a variant of Win32/Kryptik.ICX trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP846\A0784458.exe a variant of Win32/Kryptik.HUN trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP846\A0784459.exe a variant of Win32/Kryptik.HKQ trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP847\A0784474.exe a variant of Win32/Kryptik.HTU trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP850\A0784559.exe a variant of Win32/Kryptik.HUN trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP850\A0784560.exe a variant of Win32/Kryptik.HSO trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP854\A0785038.exe Win32/Cycbot.AA trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP854\A0785039.exe a variant of Win32/Kryptik.HVW trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP855\A0785050.exe probably a variant of Win32/Kryptik.ICF trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP857\A0785090.exe a variant of Win32/Kryptik.ICF trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP860\A0793727.exe a variant of Win32/Kryptik.ICF trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{9B85971B-7478-44F1-9B41-DCF85B2FDA90}\RP860\A0793728.exe a variant of Win32/Kryptik.HYC trojan 00000000000000000000000000000000 I
  7. vrp14
    Kaspersky online. The java checked out fine.
  8. vrp14
    I can't seem to get this to run. I keep getting a message " [ERROR: License has expired]" . I will keep trying but if you have any suggestions i would gladly take them. thanks.
  9. vrp14
    Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5110 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/13/2010 6:46:58 PM mbam-log-2010-11-13 (18-46-58).txt Scan type: Quick scan Objects scanned: 199723 Time elapsed: 14 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Desktop\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
  10. vrp14
    Malwarebytes' Anti-Malware 1.43 Database version: 3458 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/13/2010 6:12:50 PM mbam-log-2010-11-13 (18-12-50).txt Scan type: Quick Scan Objects scanned: 161808 Time elapsed: 12 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  11. vrp14
    I can not run this unless I am in safe mode. Here is the updated log from safe mode. ComboFix 10-11-12.01 - dooleyk 11/13/2010 16:54:31.6.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.691 [GMT -5:00] Running from: c:\documents and settings\dooleyk\Desktop\Combo-Fix.exe AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\dooleyk\Desktop\Quick Defragmenter.lnk c:\documents and settings\dooleyk\Start Menu\Programs\Quick Defragmenter c:\documents and settings\dooleyk\Start Menu\Programs\Quick Defragmenter\Quick Defragmenter.lnk c:\documents and settings\dooleyk\Start Menu\Programs\Quick Defragmenter\Uninstall Quick Defragmenter.lnk . ((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 ))))))))))))))))))))))))))))))) . 2010-11-03 20:26 . 2010-11-03 20:26 -------- d-----w- c:\program files\iPod 2010-11-03 20:26 . 2010-11-03 20:27 -------- d-----w- c:\program files\iTunes 2010-11-03 20:26 . 2010-11-03 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-11-03 20:20 . 2010-11-03 20:20 -------- d-----w- c:\program files\Bonjour 2010-11-03 20:14 . 2010-11-03 20:14 -------- d-----w- c:\program files\Safari 2010-11-02 12:09 . 2010-11-02 12:09 -------- d-----w- c:\documents and settings\dooleyk\Local Settings\Application Data\Octoshape . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-07 20:24 . 2010-10-07 20:24 419779 ----a-w- c:\documents and settings\All Users\SPL9B.tmp 2010-09-18 16:23 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2006-02-28 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-15 19:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2006-02-28 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2006-02-28 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((( SnapShot@2010-11-13_03.19.17 ))))))))))))))))))))))))))))))))))))))))) . - 2006-02-28 12:00 . 2010-11-13 03:12 72312 c:\windows\system32\perfc009.dat + 2006-02-28 12:00 . 2010-11-13 21:52 72312 c:\windows\system32\perfc009.dat + 2006-02-28 12:00 . 2010-11-13 21:52 444054 c:\windows\system32\perfh009.dat - 2006-02-28 12:00 . 2010-11-13 03:12 444054 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Octoshape Streaming Services"="c:\documents and settings\dooleyk\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-05 172032] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752] "TpShocks"="TpShocks.exe" [2007-11-22 181536] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-07 200704] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-07 208896] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000] "lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040] "EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2008-03-27 107176] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344] "ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] c:\documents and settings\dooleyk\Start Menu\Programs\Startup\ Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-11 50688] SMART Board Tools.lnk - c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe [2007-11-2 4519176] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 21:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2006-12-14 16:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-1333\Scripts\Logon\0\0] "Script"=OULogonScript_04_01_08.vbe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-2345769\Scripts\Logon\0\0] "Script"=OULogonScript_06_13_07.vbe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-2345769\Scripts\Logon\1\0] "Script"=techdrives.vbs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\lxdpcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"= "c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"= "c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Documents and Settings\\dooleyk\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504] R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 8:30 AM 98304] S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [8/3/2007 7:31 PM 111232] S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [8/3/2007 7:31 PM 38912] S2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?] S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [9/30/2008 3:41 PM 98984] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/28/2009 12:21 PM 80936] S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2/26/2007 5:29 PM 81280] S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [5/21/2009 1:44 PM 33024] S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [5/21/2009 1:44 PM 41344] S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [5/21/2009 1:44 PM 39936] S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [5/21/2009 1:44 PM 59904] S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [11/2/2007 7:48 AM 767240] S3 tpflhlp;tpflhlp;c:\program files\Lenovo\System Update\session\7luj09us\tpflhlp.sys [8/9/2007 7:20 PM 13360] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 8:30 AM 14976] --- Other Services/Drivers In Memory --- *NewlyCreated* - MDMXSDK . Contents of the 'Scheduled Tasks' folder 2010-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] 2010-11-09 c:\windows\Tasks\Daily scheduled scan.job - c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-26 11:45] 2010-11-13 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-02-11 06:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.butlertech.org/ uInternet Settings,ProxyServer = http=127.0.0.1:50370 uInternet Settings,ProxyOverride = <local> IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: butlertech.org DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB DPF: {A3DC6843-BF91-437E-95F2-13F213E8CE68} - hxxps://helpdesk.butlertech.org/SWiseWeb/ScreenCapture.cab FF - ProfilePath - c:\documents and settings\dooleyk\Application Data\Mozilla\Firefox\Profiles\2xhxt93d.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 50370 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\dooleyk\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\dooleyk\Application Data\Move Networks\plugins\npqmp071505000011.dll FF - plugin: c:\documents and settings\dooleyk\Application Data\Mozilla\plugins\npoctoshape.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol500.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinVNC4] "ImagePath"="\"c:\program files\RealVNC\VNC4\WinVNC4.exe\" -log \"*:EventLog:0\" -log Connections:EventLog:100 -service " . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1036) c:\program files\Lenovo\HOTKEY\tphklock.dll . Completion time: 2010-11-13 17:02:15 ComboFix-quarantined-files.txt 2010-11-13 22:02 ComboFix2.txt 2010-11-13 20:03 ComboFix3.txt 2010-11-13 03:21 Pre-Run: 20,295,372,800 bytes free Post-Run: 20,278,669,312 bytes free - - End Of File - - 330F73ABF6F01814240D5E888EE593E9
  12. vrp14
    Here you go: ComboFix 10-11-09.02 - dooleyk 11/13/2010 14:47:23.5.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.688 [GMT -5:00] Running from: c:\documents and settings\dooleyk\Desktop\Iexplore.exe.exe Command switches used :: c:\documents and settings\dooleyk\Desktop\CFScript.txt AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} . ((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 ))))))))))))))))))))))))))))))) . 2010-11-03 20:26 . 2010-11-03 20:26 -------- d-----w- c:\program files\iPod 2010-11-03 20:26 . 2010-11-03 20:27 -------- d-----w- c:\program files\iTunes 2010-11-03 20:26 . 2010-11-03 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-11-03 20:20 . 2010-11-03 20:20 -------- d-----w- c:\program files\Bonjour 2010-11-03 20:14 . 2010-11-03 20:14 -------- d-----w- c:\program files\Safari 2010-11-02 12:09 . 2010-11-02 12:09 -------- d-----w- c:\documents and settings\dooleyk\Local Settings\Application Data\Octoshape . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-07 20:24 . 2010-10-07 20:24 419779 ----a-w- c:\documents and settings\All Users\SPL9B.tmp 2010-09-18 16:23 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2006-02-28 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-15 19:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2006-02-28 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2006-02-28 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Octoshape Streaming Services"="c:\documents and settings\dooleyk\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-05 172032] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752] "TpShocks"="TpShocks.exe" [2007-11-22 181536] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-07 200704] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-07 208896] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000] "lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040] "EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2008-03-27 107176] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344] "ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] c:\documents and settings\dooleyk\Start Menu\Programs\Startup\ Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-11 50688] SMART Board Tools.lnk - c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe [2007-11-2 4519176] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 21:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2006-12-14 16:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-1333\Scripts\Logon\0\0] "Script"=OULogonScript_04_01_08.vbe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-2345769\Scripts\Logon\0\0] "Script"=OULogonScript_06_13_07.vbe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-2345769\Scripts\Logon\1\0] "Script"=techdrives.vbs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\lxdpcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"= "c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"= "c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Documents and Settings\\dooleyk\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504] R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 8:30 AM 98304] S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [8/3/2007 7:31 PM 111232] S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [8/3/2007 7:31 PM 38912] S2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?] S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [9/30/2008 3:41 PM 98984] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/28/2009 12:21 PM 80936] S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2/26/2007 5:29 PM 81280] S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [5/21/2009 1:44 PM 33024] S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [5/21/2009 1:44 PM 41344] S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [5/21/2009 1:44 PM 39936] S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [5/21/2009 1:44 PM 59904] S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [11/2/2007 7:48 AM 767240] S3 tpflhlp;tpflhlp;c:\program files\Lenovo\System Update\session\7luj09us\tpflhlp.sys [8/9/2007 7:20 PM 13360] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 8:30 AM 14976] . Contents of the 'Scheduled Tasks' folder 2010-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] 2010-11-09 c:\windows\Tasks\Daily scheduled scan.job - c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-26 11:45] 2010-11-13 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-02-11 06:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.butlertech.org/ IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: butlertech.org DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB DPF: {A3DC6843-BF91-437E-95F2-13F213E8CE68} - hxxps://helpdesk.butlertech.org/SWiseWeb/ScreenCapture.cab FF - ProfilePath - c:\documents and settings\dooleyk\Application Data\Mozilla\Firefox\Profiles\2xhxt93d.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 50370 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\dooleyk\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\dooleyk\Application Data\Move Networks\plugins\npqmp071505000011.dll FF - plugin: c:\documents and settings\dooleyk\Application Data\Mozilla\plugins\npoctoshape.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol500.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-13 14:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinVNC4] "ImagePath"="\"c:\program files\RealVNC\VNC4\WinVNC4.exe\" -log \"*:EventLog:0\" -log Connections:EventLog:100 -service " . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1040) c:\program files\Lenovo\HOTKEY\tphklock.dll - - - - - - - > 'explorer.exe'(688) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2010-11-13 15:03:35 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-13 20:03 ComboFix2.txt 2010-11-13 03:21 Pre-Run: 20,342,935,552 bytes free Post-Run: 20,330,700,800 bytes free - - End Of File - - 1067092BC44222622BDC219963DE5D39
  13. vrp14
    sorry this took so long to post.... ComboFix 10-11-09.02 - dooleyk 11/12/2010 22:09:48.3.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.594 [GMT -5:00] Running from: c:\documents and settings\dooleyk\Desktop\Iexplore.exe.exe AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\dooleyk\Application Data\Microsoft\stor.cfg c:\documents and settings\dooleyk\Application Data\Microsoft\svchost.exe c:\documents and settings\dooleyk\Application Data\Microsoft\Windows\shell.exe c:\documents and settings\dooleyk\Start Menu\Programs\HDD Defragmenter\HDD Defragmenter.lnk c:\documents and settings\dooleyk\Start Menu\Programs\HDD Defragmenter\Uninstall HDD Defragmenter.lnk c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\regedit.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ANTIPOL ((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 ))))))))))))))))))))))))))))))) . 2010-11-03 20:26 . 2010-11-03 20:26 -------- d-----w- c:\program files\iPod 2010-11-03 20:26 . 2010-11-03 20:27 -------- d-----w- c:\program files\iTunes 2010-11-03 20:26 . 2010-11-03 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-11-03 20:20 . 2010-11-03 20:20 -------- d-----w- c:\program files\Bonjour 2010-11-03 20:14 . 2010-11-03 20:14 -------- d-----w- c:\program files\Safari 2010-11-02 12:09 . 2010-11-02 12:09 -------- d-----w- c:\documents and settings\dooleyk\Local Settings\Application Data\Octoshape 2010-10-14 09:15 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-10-14 09:15 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-14 09:15 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-07 20:24 . 2010-10-07 20:24 419779 ----a-w- c:\documents and settings\All Users\SPL9B.tmp 2010-09-18 16:23 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2006-02-28 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-15 19:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2006-02-28 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2006-02-28 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Octoshape Streaming Services"="c:\documents and settings\dooleyk\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-05 172032] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752] "TpShocks"="TpShocks.exe" [2007-11-22 181536] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-07 200704] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-07 208896] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000] "lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040] "EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2008-03-27 107176] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344] "ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] c:\documents and settings\dooleyk\Start Menu\Programs\Startup\ Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-11 50688] SMART Board Tools.lnk - c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe [2007-11-2 4519176] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 21:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2006-12-14 16:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-1333\Scripts\Logon\0\0] "Script"=OULogonScript_04_01_08.vbe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-2345769\Scripts\Logon\0\0] "Script"=OULogonScript_06_13_07.vbe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1192560051-3535178755-1236381988-2345769\Scripts\Logon\1\0] "Script"=techdrives.vbs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\lxdpcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"= "c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"= "c:\\Program Files\\Real\\RealPlayer Enterprise\\realplay.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Documents and Settings\\dooleyk\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504] R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 8:30 AM 98304] S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [8/3/2007 7:31 PM 111232] S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [8/3/2007 7:31 PM 38912] S2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?] S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [9/30/2008 3:41 PM 98984] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/28/2009 12:21 PM 80936] S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2/26/2007 5:29 PM 81280] S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [5/21/2009 1:44 PM 33024] S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [5/21/2009 1:44 PM 41344] S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [5/21/2009 1:44 PM 39936] S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [5/21/2009 1:44 PM 59904] S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [11/2/2007 7:48 AM 767240] S3 tpflhlp;tpflhlp;c:\program files\Lenovo\System Update\session\7luj09us\tpflhlp.sys [8/9/2007 7:20 PM 13360] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 8:30 AM 14976] --- Other Services/Drivers In Memory --- *NewlyCreated* - MDMXSDK . Contents of the 'Scheduled Tasks' folder 2010-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] 2010-11-09 c:\windows\Tasks\Daily scheduled scan.job - c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-26 11:45] 2010-11-13 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-02-11 06:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.butlertech.org/ uInternet Settings,ProxyServer = http=127.0.0.1:50370 uInternet Settings,ProxyOverride = <local> IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: butlertech.org DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB DPF: {A3DC6843-BF91-437E-95F2-13F213E8CE68} - hxxps://helpdesk.butlertech.org/SWiseWeb/ScreenCapture.cab FF - ProfilePath - c:\documents and settings\dooleyk\Application Data\Mozilla\Firefox\Profiles\2xhxt93d.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 50370 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\documents and settings\dooleyk\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\documents and settings\dooleyk\Application Data\Move Networks\plugins\npqmp071505000011.dll FF - plugin: c:\documents and settings\dooleyk\Application Data\Mozilla\plugins\npoctoshape.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol500.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - plugin: c:\program files\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKCU-Run-uaxuvqof - c:\documents and settings\dooleyk\Local Settings\Application Data\caqsgi\kggnsftav.exe HKLM-Run-uaxuvqof - c:\documents and settings\dooleyk\Local Settings\Application Data\caqsgi\kggnsftav.exe AddRemove-InterAct Math Plugin - c:\program files\Intellipro ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-12 22:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinVNC4] "ImagePath"="\"c:\program files\RealVNC\VNC4\WinVNC4.exe\" -log \"*:EventLog:0\" -log Connections:EventLog:100 -service " . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1036) c:\program files\Lenovo\HOTKEY\tphklock.dll - - - - - - - > 'explorer.exe'(240) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2010-11-12 22:21:18 ComboFix-quarantined-files.txt 2010-11-13 03:20 Pre-Run: 20,422,000,640 bytes free Post-Run: 20,375,990,272 bytes free - - End Of File - - 74A55EA57A1EBC1403239140A436D84A
  14. vrp14
    Tried renaming it, still not working. The pop up box has 32788R22FWFJFW\iexplore.exe in the blue bar. and in the box it says: Windows can not access the specified drive, path or file. You may not have the appropriate permission to access the item. This box will pop up 13 times then the blue part changes to 32788R22FWFJFW\n.pif for about 10 times then that changes to \nircmd.cfxxe. don't know if that will help. Last time it also restarted my computer.
  15. vrp14
    I am unable to open combofix. i keep getting pop up boxes saying i don't have permission.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.