Jump to content

voodoo76

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

Reputation

0 Neutral
  1. voodoo76
    Logs attached. I have not had any issues with this machine since combofix ran effectively, after uninstalling Symantic Endpoint. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=9c93a506103a914fb41075c8569a67bb # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-04-28 02:43:27 # local_time=2011-04-27 09:43:27 (-0600, Central Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=94669 # found=0 # cleaned=0 # scan_time=1663 Results of screen317's Security Check version 0.99.10 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! avast! Free Antivirus ESET Online Scanner v3 Antivirus up to date! (On Access scanning disabled!) ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware CCleaner Java 6 Update 22 Java 2 Runtime Environment, SE v1.4.2_03 Out of date Java installed! Adobe Flash Player 10.2.152.26 Adobe Reader 9.4.4 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent AVAST Software Avast AvastSvc.exe AVAST Software Avast avastUI.exe ``````````End of Log````````````
  2. voodoo76
    Sorry for the delay, been a busy few days. Log from this evenings scan: ComboFix 11-04-27.01 - Voodoo76 04/27/2011 19:28:26.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1225 [GMT -5:00] Running from: c:\documents and settings\glbellairs\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\glbellairs\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 ))))))))))))))))))))))))))))))) . . 2011-04-27 00:22 . 2011-04-27 01:40 -------- d-----w- c:\documents and settings\glbellairs\Application Data\wsInspector 2011-04-27 00:21 . 2011-04-27 00:22 -------- d-----w- c:\program files\Startup Inspector for Windows 2011-04-25 23:07 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-04-25 23:07 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-04-25 23:07 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-04-25 23:07 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-04-25 23:07 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-04-25 23:07 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-04-25 23:07 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-04-25 23:07 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-04-25 23:06 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr 2011-04-25 23:06 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe 2011-04-25 01:10 . 2011-04-25 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2011-04-25 01:10 . 2011-04-25 01:10 -------- d-----w- c:\program files\AVAST Software 2011-04-21 02:29 . 2011-04-21 02:29 -------- d-----w- c:\program files\Sophos 2011-04-20 23:23 . 2011-04-02 20:17 1377112 ----a-w- C:\irweasle.com 2011-04-14 08:39 . 2011-04-14 08:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll 2011-04-09 21:30 . 2011-04-09 21:28 50688 ----a-w- C:\ATF_Cleaner.exe 2011-04-09 18:18 . 2011-04-09 18:19 -------- d-----w- C:\TDSKiller 2011-04-02 21:02 . 2011-04-02 21:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2011-04-02 20:58 . 2011-04-02 20:58 -------- d-----w- c:\documents and settings\glbellairs\Local Settings\Application Data\PackageAware 2011-04-02 20:43 . 2011-04-02 20:43 -------- d--h--w- c:\windows\PIF 2011-04-02 18:18 . 2011-04-09 23:01 -------- d-----w- c:\documents and settings\vader 2011-04-02 03:54 . 2011-04-02 03:54 -------- d-----w- c:\documents and settings\CPAC\Application Data\Malwarebytes 2011-04-02 03:28 . 2011-04-02 03:28 -------- d-----w- c:\program files\Common Files\iS3 2011-04-02 03:28 . 2011-04-02 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2011-04-01 14:34 . 2011-04-01 14:34 -------- d-----w- c:\program files\AKG CooL-Line . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-04-26 02:47 . 2009-08-26 21:03 0 ----a-w- c:\documents and settings\glbellairs\Local Settings\Application Data\WavXMapDrive.bat 2011-04-09 22:35 . 2009-06-11 12:55 0 ----a-w- c:\documents and settings\CPAC\Local Settings\Application Data\WavXMapDrive.bat 2011-02-18 21:36 . 2010-07-14 20:30 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2011-02-18 21:36 . 2010-07-14 20:30 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay] @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}" [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}] 2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay] @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}" [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}] 2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "GoToMeeting"="c:\program files\Citrix\GoToMeeting\457\g2mstart.exe" [2010-11-12 39816] "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NWTRAY"="NWTRAY.EXE" [2002-03-12 28672] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656] "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408] "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360] "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296] "iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2009-12-04 57344] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904] "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544] "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "CompatibleRUPSecurity"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-07-21 15:20 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Symantec AntiVirus"=2 (0x2) "SNAC"=3 (0x3) "SmcService"=2 (0x2) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AllAlertsDisabled"=dword:00000001 "TermService"=dword:00000001 "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\UltraVNC\\winvnc.exe"= "c:\\Documents and Settings\\glbellairs\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/25/2011 6:07 PM 441176] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/25/2011 6:07 PM 307288] R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [6/12/2009 9:58 AM 34592] R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/25/2011 6:07 PM 19544] R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800] R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296] R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840] R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [2/27/2007 2:32 PM 61440] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008] R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/11/2009 3:29 PM 6016] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/5/2009 12:40 AM 112512] R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/5/2009 12:40 AM 32808] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/5/2009 12:40 AM 244368] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/5/2009 12:40 AM 109568] R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/4/2009 10:20 PM 232744] S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 8:37 PM 133104] S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [1/12/2004 1:07 PM 71448] S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?] S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?] S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1/12/2004 1:07 PM 142592] S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/12/2004 1:07 PM 30166] S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [1/12/2004 1:07 PM 155440] S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?] S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168] . Contents of the 'Scheduled Tasks' folder . 2011-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50] . 2011-04-27 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 15:32] . 2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37] . 2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37] . 2011-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007Core.job - c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58] . 2011-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007UA.job - c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58] . 2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{857847F0-6F83-4507-BB5E-26130B9405E3}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-27 19:36 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . C:\## aswSnx private storage . scan completed successfully hidden files: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\21.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1360) c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll c:\windows\System32\TdmNetworkProvider.dll c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL c:\windows\System32\BCMLogon.dll c:\windows\system32\igfxdev.dll . - - - - - - - > 'Explorer.exe'(5568) c:\windows\system32\WININET.dll c:\windows\system32\igfxdo.dll c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2011-04-27 19:39:29 ComboFix-quarantined-files.txt 2011-04-28 00:39 ComboFix2.txt 2011-04-24 18:11 . Pre-Run: 210,962,657,280 bytes free Post-Run: 210,938,306,560 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 161E274CF36404F1CB05386DFA89E1B5
  3. voodoo76
    Some interesting issues running combofix. I ended up uninstalling Symantic Endpoint to get it to run. It "detected presence of rootkit activity" and rebooted into a scan. Log is attached. ComboFix 11-04-23.02 - glbellairs 04/24/2011 13:06:02.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1550 [GMT -5:00] Running from: c:\documents and settings\glbellairs\Desktop\ComboFix.exe . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 ))))))))))))))))))))))))))))))) . . 2011-04-21 02:29 . 2011-04-21 02:29 -------- d-----w- c:\program files\Sophos 2011-04-20 23:23 . 2011-04-02 20:17 1377112 ----a-w- C:\irweasle.com 2011-04-09 21:30 . 2011-04-09 21:28 50688 ----a-w- C:\ATF_Cleaner.exe 2011-04-09 18:18 . 2011-04-09 18:19 -------- d-----w- C:\TDSKiller 2011-04-02 21:02 . 2011-04-02 21:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search 2011-04-02 21:02 . 2011-04-02 21:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2011-04-02 20:58 . 2011-04-02 20:58 -------- d-----w- c:\documents and settings\glbellairs\Local Settings\Application Data\PackageAware 2011-04-02 20:43 . 2011-04-02 20:43 -------- d--h--w- c:\windows\PIF 2011-04-02 18:18 . 2011-04-09 23:01 -------- d-----w- c:\documents and settings\vader 2011-04-02 03:54 . 2011-04-02 03:54 -------- d-----w- c:\documents and settings\CPAC\Application Data\Malwarebytes 2011-04-02 03:28 . 2011-04-02 03:28 -------- d-----w- c:\program files\Common Files\iS3 2011-04-02 03:28 . 2011-04-02 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2011-04-01 14:34 . 2011-04-01 14:34 -------- d-----w- c:\program files\AKG CooL-Line . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-04-24 17:56 . 2009-08-26 21:03 0 ----a-w- c:\documents and settings\glbellairs\Local Settings\Application Data\WavXMapDrive.bat 2011-04-09 22:35 . 2009-06-11 12:55 0 ----a-w- c:\documents and settings\CPAC\Local Settings\Application Data\WavXMapDrive.bat 2011-02-18 21:36 . 2010-07-14 20:30 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2011-02-18 21:36 . 2010-07-14 20:30 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-04-23_18.57.55 ))))))))))))))))))))))))))))))))))))))))) . + 2011-04-24 18:03 . 2011-04-24 18:03 16384 c:\windows\temp\Perflib_Perfdata_394.dat + 2008-04-25 16:16 . 2011-04-24 18:07 79188 c:\windows\system32\perfc009.dat + 2008-04-25 16:16 . 2008-04-14 12:00 52352 c:\windows\system32\dllcache\volsnap.sys + 2008-04-25 16:16 . 2011-04-24 18:07 464078 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay] @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}" [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}] 2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay] @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}" [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}] 2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "GoToMeeting"="c:\program files\Citrix\GoToMeeting\457\g2mstart.exe" [2010-11-12 39816] "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NWTRAY"="NWTRAY.EXE" [2002-03-12 28672] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656] "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408] "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360] "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296] "iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2009-12-04 57344] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904] "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544] "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-04-30 2396160] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "CompatibleRUPSecurity"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-07-21 15:20 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Symantec AntiVirus"=2 (0x2) "SNAC"=3 (0x3) "SmcService"=2 (0x2) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AllAlertsDisabled"=dword:00000001 "TermService"=dword:00000001 "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\UltraVNC\\winvnc.exe"= "c:\\Documents and Settings\\glbellairs\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= . R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [6/12/2009 9:58 AM 34592] R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968] R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 11:07 AM 320800] R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 10:19 AM 808296] R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 10:19 AM 20840] R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [2/27/2007 2:32 PM 61440] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008] R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/11/2009 3:29 PM 6016] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/5/2009 12:40 AM 112512] R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [6/5/2009 12:40 AM 32808] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/5/2009 12:40 AM 244368] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [6/5/2009 12:40 AM 109568] R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [6/4/2009 10:20 PM 232744] S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 8:37 PM 133104] S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [1/12/2004 1:07 PM 71448] S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?] S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?] S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [1/12/2004 1:07 PM 142592] S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [1/12/2004 1:07 PM 30166] S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [1/12/2004 1:07 PM 155440] S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?] S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 8:06 PM 443168] . Contents of the 'Scheduled Tasks' folder . 2011-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50] . 2011-04-24 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 15:32] . 2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37] . 2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 01:37] . 2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007Core.job - c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58] . 2011-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982176290-4273415865-4244866014-1007UA.job - c:\documents and settings\glbellairs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-13 22:58] . 2011-04-24 c:\windows\Tasks\User_Feed_Synchronization-{857847F0-6F83-4507-BB5E-26130B9405E3}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-24 13:10 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\21.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1332) c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll . Completion time: 2011-04-24 13:11:58 ComboFix-quarantined-files.txt 2011-04-24 18:11 ComboFix2.txt 2011-04-23 19:01 . Pre-Run: 210,651,975,680 bytes free Post-Run: 211,007,299,584 bytes free . - - End Of File - - 71CB526A91D62C52DFF7765A30313606 . DDS (Ver_11-03-05.01) - NTFSx86 Run by GLBellairs at 18:13:15.95 on Sun 04/24/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1396 [GMT -5:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\System32\svchost.exe -k eapsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k dot3svc C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe c:\drivers\audio\r213367\stacsv.exe C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Intel\ASF Agent\ASFAgent.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe C:\Program Files\OCS Inventory Agent\ocsservice.exe C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\Program Files\UltraVNC\winvnc.exe C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe C:\Program Files\Wave Systems Corp\SecureUpgrade.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\WINDOWS\system32\iprntlgn.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\DellTPad\Apoint.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Logitech\Vid HD\Vid.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Documents and Settings\glbellairs\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon" uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NWTRAY] NWTRAY.EXE mRun: [igfxTray] "c:\windows\system32\igfxtray.exe" mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe" mRun: [Persistence] "c:\windows\system32\igfxpers.exe" mRun: [WavXMgr] "c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe" mRun: [uSCService] "c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe" mRun: [secureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [iPrint Event Monitor] "c:\windows\system32\iprntlgn.exe" mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe" mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe" mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe" mRun: [broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe" mRun: [Apoint] "c:\program files\delltpad\Apoint.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe mPolicies-system: CompatibleRUPSecurity = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244725214281 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248194200140 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ============= SERVICES / DRIVERS =============== . R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-6-12 34592] R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968] R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800] R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296] R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840] R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2007-2-27 61440] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008] R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-6-11 6016] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-5 112512] R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-6-5 32808] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-6-5 244368] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-5 109568] R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-6-4 232744] S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\virtualbackplane.sys --> c:\windows\system32\drivers\VirtualBackplane.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-3 133104] S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2004-1-12 71448] S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?] S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?] S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [2004-1-12 142592] S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2004-1-12 30166] S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [2004-1-12 155440] S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-12 189792] S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-2-6 443168] . =============== Created Last 30 ================ . 2011-04-23 18:32:20 98816 ----a-w- c:\windows\sed.exe 2011-04-23 18:32:20 89088 ----a-w- c:\windows\MBR.exe 2011-04-23 18:32:20 256512 ----a-w- c:\windows\PEV.exe 2011-04-23 18:32:20 161792 ----a-w- c:\windows\SWREG.exe 2011-04-21 02:29:50 -------- d-----w- c:\program files\Sophos 2011-04-20 23:23:25 1377112 ----a-w- C:\irweasle.com 2011-04-09 21:30:52 50688 ----a-w- C:\ATF_Cleaner.exe 2011-04-09 18:18:47 -------- d-----w- C:\TDSKiller 2011-04-02 20:58:19 -------- d-----w- c:\docume~1\glbell~1\locals~1\applic~1\PackageAware 2011-04-02 20:43:25 -------- d--h--w- c:\windows\PIF 2011-04-02 03:28:19 -------- d-----w- c:\program files\common files\iS3 2011-04-02 03:28:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla! 2011-04-01 14:34:10 -------- d-----w- c:\program files\AKG CooL-Line . ==================== Find3M ==================== . 2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll . ============= FINISH: 18:13:24.54 ===============
  4. voodoo76
    Thanks for taking a look at this. DDS log, . DDS (Ver_11-03-05.01) - NTFSx86 Run by GLBellairs at 21:18:13.03 on Thu 04/21/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1053 [GMT -5:00] . AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k eapsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k dot3svc C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe c:\drivers\audio\r213367\stacsv.exe C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Intel\ASF Agent\ASFAgent.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe C:\Program Files\OCS Inventory Agent\ocsservice.exe C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\Program Files\UltraVNC\winvnc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe C:\Program Files\Wave Systems Corp\SecureUpgrade.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\WINDOWS\system32\iprntlgn.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\DellTPad\Apoint.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe C:\Program Files\Logitech\Vid HD\Vid.exe C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe C:\Program Files\DellTPad\Apntex.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\glbellairs\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.live.com uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon" uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe" mRun: [NWTRAY] NWTRAY.EXE mRun: [igfxTray] "c:\windows\system32\igfxtray.exe" mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe" mRun: [Persistence] "c:\windows\system32\igfxpers.exe" mRun: [WavXMgr] "c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe" mRun: [uSCService] "c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe" mRun: [secureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [iPrint Event Monitor] "c:\windows\system32\iprntlgn.exe" mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe" mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe" mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe" mRun: [Apoint] "c:\program files\delltpad\Apoint.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe mPolicies-system: CompatibleRUPSecurity = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244725214281 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248194200140 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll Notify: igfxcui - igfxdev.dll Notify: TPSvc - TPSvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Authentication Packages = msv1_0 nwv1_0 wvauth . ============= SERVICES / DRIVERS =============== . R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-6-12 34592] R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968] R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-2-2 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-2-2 108392] R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296] R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840] R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2007-2-27 61440] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-2-2 2477304] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008] R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-6-11 6016] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-5 112512] R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-6-5 32808] R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-6-5 244368] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-19 102448] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-5 109568] R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110401.002\NAVENG.SYS [2011-4-1 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110401.002\NAVEX15.SYS [2011-4-1 1393144] R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-6-4 232744] S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\drivers\virtualbackplane.sys --> c:\windows\system32\drivers\VirtualBackplane.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-3 133104] S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;c:\windows\system32\drivers\abktcx.sys [2004-1-12 71448] S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-6-26 23888] S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?] S3 RS_SS_NT;RSLinx S-S SD/SD2 Device Driver;c:\windows\system32\RS_SS_NT.SYS [2004-1-12 142592] S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [2004-1-12 30166] S3 RSSERIAL;RSLinx Serial Driver;c:\windows\system32\rsserial.sys [2004-1-12 155440] S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-12 189792] S4 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-2-6 443168] . =============== Created Last 30 ================ . 2011-04-21 02:29:50 -------- d-----w- c:\program files\Sophos 2011-04-20 23:23:25 1377112 ----a-w- C:\irweasle.com 2011-04-09 21:30:52 50688 ----a-w- C:\ATF_Cleaner.exe 2011-04-09 18:18:47 -------- d-----w- C:\TDSKiller 2011-04-02 20:58:19 -------- d-----w- c:\docume~1\glbell~1\locals~1\applic~1\PackageAware 2011-04-02 20:43:25 -------- d--h--w- c:\windows\PIF 2011-04-02 03:28:19 -------- d-----w- c:\program files\common files\iS3 2011-04-02 03:28:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla! 2011-04-01 14:34:10 -------- d-----w- c:\program files\AKG CooL-Line . ==================== Find3M ==================== . 2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll . ============= FINISH: 21:18:33.23 ===============
  5. voodoo76
    I recently cleaned out Windows Recovery virus, following the guidelines here. It appears to be gone, however since then I have been seeing the following symptoms: - Redirects to random sites from searches in Google (or other search engines) when using IE. - Chrome will not connect at all. It launches but all I get is "page unresponsive". - A lot of IE Script errors with odd url's (eg http://adserver.adtechus.com/addyn/3.0/5276/1281653/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1303428717218) - Malwarebytes scans turn up either nothing or the same 3 items in the attached log One of my IT guys suggested TDSSKiller, however it will not launch. Interested in any thoughts or ideas on where to go next. Thanks mbam-log-2011-04-21 (18-22-59).txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.