Jump to content

Google Redirect Virus


Recommended Posts

A couple of days ago, I starting having redirect behavior from all browsers when attempting to go to a link generated by a Google search. Ran a MalwareBytes full scan, which found trojan.PORNDIAL, which I quarantined. Malwarebytes isn't showing any further infected objects, but the trojan left the virus behind, and the redirect behavior persists. I've been trying to take all the steps shown in the "I'm infected. What do I do now?" thread. Downloaded and ran Defogger-Disable, and DDS. Downloaded and attempted to run GMER. Unchecked IAT.EAT, left C:\ unchecked, and left Show All unchecked. GMER started, but never finished. It displayed a long list of file names, with the last entry:

Sections: C"\Program Files\Java\jre6\bin\jqs.exe [260]

C:\WINDOWS\system32\RPCRT.dll

I never saw anything on the screen letting me know it was finished, but eventually I pressed the Save button. The hourglass appeared and never went away overnight! Couldn't get any response from system and finally had to reboot.

Here is DDS.txt:

DDS (Ver_10-11-27.01) - NTFSx86

Run by Trish Baskin at 20:00:05.34 on Mon 11/29/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.65 [GMT -5:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe

C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe

C:\Program Files\StompSoft\PC BackUp\NbkCtrl.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\LOGI_MWX.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Trish Baskin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\palmOne\HOTSYNC.EXE

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxduserv.exe

C:\WINDOWS\system32\lxducoms.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe

C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Trish Baskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Trish Baskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Trish Baskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Trish Baskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Trish Baskin\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.pctools.com/mrc/fix_homepage/

mSearchAssistant = hxxp://www.google.com/ie

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [Mozilla Quick Launch] "c:\program files\mozilla.org\mozilla\Mozilla.exe" -turbo

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"

uRun: [VZVidgets]

uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t

uRun: [bitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Google Update] "c:\documents and settings\trish baskin\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [Apoint] "c:\program files\apoint\Apoint.exe"

mRun: [Alcmtr] "c:\windows\ALCMTR.EXE"

mRun: [AzMixerSel] "c:\program files\realtek\installshield\AzMixerSel.exe"

mRun: [VAIO Recovery] "c:\windows\sonysys\vaio recovery\PartSeal.exe"

mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"

mRun: [TVTunerLib] "c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe"

mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary

mRun: [VZRemoteCommander] "c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe"

mRun: [NovaBackup 7 Tray Control] "c:\program files\stompsoft\pc backup\NbkCtrl.exe"

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run

mRun: [<NO NAME>]

mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"

mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"

mRun: [Lexmark 5600-6600 Series Fax Server] "c:\program files\lexmark 5600-6600 series\fm3032.exe" /s

mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"

mRun: [Logitech Utility] "LOGI_MWX.EXE"

mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRunOnce: [installMotiveFromCW] c:\program files\verizon\fios\CW_Motive.exe

dRun: [bgxxrrcw] c:\documents and settings\networkservice\local settings\application data\iubheodlj\dyudxmmtssd.exe

StartupFolder: c:\docume~1\trishb~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\docume~1\trishb~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\trishb~1\startm~1\programs\startup\starsu~1.lnk - c:\program files\sun\starsuite 8\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: &Search

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: network.proxy.ftp - webcache2.east.sun.com

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.http - webcache2.east.sun.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.ssl - webcache2.east.sun.com

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\trish baskin\application data\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll

FF - component: c:\documents and settings\trish baskin\application data\mozilla\firefox\profiles\g5wnwdkb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - plugin: c:\documents and settings\trish baskin\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\trish baskin\application data\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\documents and settings\trish baskin\application data\mozilla\firefox\profiles\g5wnwdkb.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\trish baskin\application data\mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Extension: Cooliris: piclens@cooliris.com - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\piclens@cooliris.com

FF - Extension: Kodak EasyShare Gallery Companion: kodak-companion@mozilla.com - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\kodak-companion@mozilla.com

FF - Extension: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}

FF - Extension: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{95f24680-9e31-11da-a746-0800200c9a66}

FF - Extension: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}

FF - Extension: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Extension: Verizon Broadband Toolbar: {3DD07E5D-2ADF-42ea-972E-2998FA5CE45A} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{3DD07E5D-2ADF-42ea-972E-2998FA5CE45A}

FF - Extension: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Extension: Fire.fm: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}

FF - Extension: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}

FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}

FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\docume~1\trishb~1\applic~1\mozilla\firefox\profiles\g5wnwdkb.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker

FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\trish baskin\application data\Move Networks

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-8-6 532224]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-5-26 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-5-26 493032]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-26 136176]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-8-3 50704]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2010-11-22 23:47:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan

2010-11-10 17:49:36 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2010-11-10 17:49:36 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: TOSHIBA_MK1031GAS rev.AA204A -> Harddisk0\DR0 -> \Device\00000082

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82DB0EC5]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xfded1872; SUB DWORD [EBP-0x4], 0xfded112e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82F7E5E0]

3 CLASSPNP[0xF8614FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007a[0x82F7DA68]

5 ACPI[0xF848B620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82F7EB58]

[0x82E74268] -> IRP_MJ_CREATE -> 0x82DB0EC5

error: Read The device is not ready.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskTOSHIBA_MK1031GAS_______________________AA204A__#5&224947b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x82DB0AEA

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 20:03:09.54 ===============

Attach.txt is attached. Any help would be greatly appreciated. Thanks!

Attach.txt

Link to post
Share on other sites

Hello Trishb148

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi Kadah,

Thanks very much for your quick reply and advice. I did decide to go ahead and clean this system, so I have some file access while I'm transitioning over to a Mac system. I won't be running any sensitive apps in the meantime. The logs from TDSSKiller and Combofix are below. Please let me know if there are any other steps I should do. One quick question: should I restore the CD Emulation that Defogger disabled? The instructions in the "I'm infected..." thread say not do so until advised to by you.

Thanks again for all your help.

Trish

Hello Trishb148

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
    2010/11/30 18:12:29.0640 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
    2010/11/30 18:12:29.0640 ================================================================================
    2010/11/30 18:12:29.0640 SystemInfo:
    2010/11/30 18:12:29.0640
    2010/11/30 18:12:29.0640 OS Version: 5.1.2600 ServicePack: 3.0
    2010/11/30 18:12:29.0640 Product type: Workstation
    2010/11/30 18:12:29.0640 ComputerName: TRISH
    2010/11/30 18:12:29.0640 UserName: Trish Baskin
    2010/11/30 18:12:29.0640 Windows directory: C:\WINDOWS
    2010/11/30 18:12:29.0640 System windows directory: C:\WINDOWS
    2010/11/30 18:12:29.0640 Processor architecture: Intel x86
    2010/11/30 18:12:29.0640 Number of processors: 1
    2010/11/30 18:12:29.0640 Page size: 0x1000
    2010/11/30 18:12:29.0640 Boot type: Normal boot
    2010/11/30 18:12:29.0640 ================================================================================
    2010/11/30 18:12:31.0953 Initialize success
    2010/11/30 18:12:43.0156 ================================================================================
    2010/11/30 18:12:43.0156 Scan started
    2010/11/30 18:12:43.0156 Mode: Manual;
    2010/11/30 18:12:43.0156 ================================================================================
    2010/11/30 18:13:04.0218 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/11/30 18:13:05.0828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/11/30 18:13:07.0671 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/11/30 18:13:08.0984 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2010/11/30 18:13:10.0062 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/11/30 18:13:19.0531 ApfiltrService (d3da11b88ab29076b78ff79f35f0586b) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
    2010/11/30 18:13:21.0015 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/11/30 18:13:25.0062 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/11/30 18:13:26.0968 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/11/30 18:13:30.0281 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/11/30 18:13:31.0500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/11/30 18:13:32.0625 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/11/30 18:13:34.0546 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/11/30 18:13:35.0593 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/11/30 18:13:37.0578 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/11/30 18:13:38.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/11/30 18:13:39.0640 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/11/30 18:13:41.0234 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/11/30 18:13:42.0843 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/11/30 18:13:44.0625 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    2010/11/30 18:13:46.0515 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/11/30 18:13:48.0218 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/11/30 18:13:49.0718 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
    2010/11/30 18:13:50.0718 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/11/30 18:13:51.0718 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/11/30 18:13:52.0781 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/11/30 18:13:54.0250 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/11/30 18:13:55.0203 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/11/30 18:13:56.0281 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/11/30 18:13:57.0265 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/11/30 18:13:57.0859 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/11/30 18:13:58.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/11/30 18:13:59.0906 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/11/30 18:14:00.0812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/11/30 18:14:01.0468 FTDIBUS (a36e8beedb3aaca09bf55a1d17904bc8) C:\WINDOWS\system32\drivers\ftdibus.sys
    2010/11/30 18:14:02.0390 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/11/30 18:14:03.0328 FTSER2K (a14a1f4bb391df9c233cb5dbd05feb70) C:\WINDOWS\system32\drivers\ftser2k.sys
    2010/11/30 18:14:04.0265 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2010/11/30 18:14:05.0203 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/11/30 18:14:06.0187 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/11/30 18:14:07.0156 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/11/30 18:14:08.0734 HSFHWAZL (9bec5d4ac6efdaaf001d42c77811e3db) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
    2010/11/30 18:14:10.0437 HSF_DPV (6cad234becf58529879b6c303f02777f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
    2010/11/30 18:14:12.0515 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/11/30 18:14:15.0515 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/11/30 18:14:17.0078 ialm (c8b13676374ae2418b653b10d2edda0e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/11/30 18:14:18.0968 Imapi (78c40deaef13805dc3d02e2fb5058ae2) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/11/30 18:14:18.0968 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: 78c40deaef13805dc3d02e2fb5058ae2, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
    2010/11/30 18:14:18.0984 Imapi - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/11/30 18:14:23.0250 IntcAzAudAddService (5f2657f8781376892035976cf8122a2d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/11/30 18:14:27.0765 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/11/30 18:14:28.0593 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/11/30 18:14:30.0031 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/11/30 18:14:30.0750 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/11/30 18:14:32.0093 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/11/30 18:14:33.0109 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/11/30 18:14:34.0406 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/11/30 18:14:35.0484 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/11/30 18:14:36.0515 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/11/30 18:14:36.0796 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
    2010/11/30 18:14:37.0984 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/11/30 18:14:38.0921 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/11/30 18:14:39.0890 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/11/30 18:14:41.0671 LEX_AS_NIC_SERVICE_YNOS (f03fc45e839912cb576e2496f582867c) C:\WINDOWS\system32\DRIVERS\ExpasAG.sys
    2010/11/30 18:14:43.0187 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2010/11/30 18:14:43.0812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/11/30 18:14:44.0671 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/11/30 18:14:45.0765 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/11/30 18:14:46.0343 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/11/30 18:14:47.0234 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/11/30 18:14:48.0734 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/11/30 18:14:50.0234 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/11/30 18:14:51.0406 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/11/30 18:14:52.0250 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/11/30 18:14:52.0875 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/11/30 18:14:53.0765 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/11/30 18:14:54.0750 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/11/30 18:14:55.0750 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/11/30 18:14:56.0437 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/11/30 18:14:57.0406 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
    2010/11/30 18:14:58.0281 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/11/30 18:14:59.0281 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/11/30 18:15:00.0265 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/11/30 18:15:00.0875 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/11/30 18:15:01.0703 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/11/30 18:15:02.0562 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/11/30 18:15:03.0218 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/11/30 18:15:04.0078 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/11/30 18:15:05.0062 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/11/30 18:15:06.0203 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/11/30 18:15:06.0890 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
    2010/11/30 18:15:07.0781 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/11/30 18:15:09.0093 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/11/30 18:15:10.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/11/30 18:15:13.0953 nv (0a71bc580c55dc6fec466d8533569e66) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/11/30 18:15:18.0125 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/11/30 18:15:18.0984 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/11/30 18:15:19.0671 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/11/30 18:15:20.0640 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys
    2010/11/30 18:15:21.0593 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2010/11/30 18:15:22.0468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/11/30 18:15:23.0312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/11/30 18:15:23.0921 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/11/30 18:15:25.0625 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/11/30 18:15:26.0546 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2010/11/30 18:15:31.0531 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/11/30 18:15:32.0468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/11/30 18:15:33.0343 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/11/30 18:15:33.0984 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/11/30 18:15:38.0796 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/11/30 18:15:39.0750 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/11/30 18:15:40.0906 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/11/30 18:15:41.0921 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/11/30 18:15:43.0484 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/11/30 18:15:44.0546 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/11/30 18:15:45.0656 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/11/30 18:15:46.0609 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/11/30 18:15:48.0390 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/11/30 18:15:49.0218 s24trans (208491a652c79871737edfe629de2c45) C:\WINDOWS\system32\DRIVERS\s24trans.sys
    2010/11/30 18:15:49.0921 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/11/30 18:15:50.0718 Sentinel (99c81af18c0bf4d3b2ce0b36941e150f) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
    2010/11/30 18:15:51.0593 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/11/30 18:15:52.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/11/30 18:15:53.0234 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    2010/11/30 18:15:54.0734 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/11/30 18:15:55.0531 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys
    2010/11/30 18:15:56.0593 SONYTVC (b20ae555d3db76037dc8d9a8dfbe4149) C:\WINDOWS\system32\DRIVERS\SONYTVC.sys
    2010/11/30 18:15:58.0203 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/11/30 18:15:59.0093 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/11/30 18:16:00.0015 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/11/30 18:16:01.0109 SSKBFD (ca85b64bc98ababdd858143933b6fd4e) C:\WINDOWS\system32\Drivers\sskbfd.sys
    2010/11/30 18:16:02.0078 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/11/30 18:16:02.0796 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/11/30 18:16:03.0703 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/11/30 18:16:05.0375 SymEvent (3c6790d26d03fe5163e2bec490e51a7e) C:\Program Files\Symantec\SYMEVENT.SYS
    2010/11/30 18:16:07.0484 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/11/30 18:16:08.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/11/30 18:16:09.0703 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/11/30 18:16:10.0484 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/11/30 18:16:11.0359 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/11/30 18:16:14.0031 tifmsony (bd9b64b745b7ee6c45b70f93703864a2) C:\WINDOWS\system32\drivers\tifmsony.sys
    2010/11/30 18:16:15.0468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/11/30 18:16:17.0187 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/11/30 18:16:18.0390 USBAAPL (026f7f224f088ee11e383bca448fff81) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2010/11/30 18:16:19.0062 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/11/30 18:16:20.0000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/11/30 18:16:20.0718 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/11/30 18:16:21.0593 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/11/30 18:16:22.0265 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/11/30 18:16:23.0156 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/11/30 18:16:23.0890 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/11/30 18:16:24.0640 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
    2010/11/30 18:16:25.0656 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/11/30 18:16:27.0218 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/11/30 18:16:28.0515 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
    2010/11/30 18:16:32.0328 w29n51 (67caa926ef06e07f2d31056b39f51c54) C:\WINDOWS\system32\DRIVERS\w29n51.sys
    2010/11/30 18:16:36.0125 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/11/30 18:16:37.0171 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
    2010/11/30 18:16:39.0046 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/11/30 18:16:40.0531 winachsf (ab7646d4cb9bb83d29d21ef7e00a0d15) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2010/11/30 18:16:42.0468 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/11/30 18:16:43.0640 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/11/30 18:16:44.0562 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/11/30 18:16:45.0500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/11/30 18:16:50.0843 ================================================================================
    2010/11/30 18:16:50.0843 Scan finished
    2010/11/30 18:16:50.0843 ================================================================================
    2010/11/30 18:16:50.0859 Detected object count: 1
    2010/11/30 18:17:15.0531 Imapi (78c40deaef13805dc3d02e2fb5058ae2) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/11/30 18:17:15.0531 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: 78c40deaef13805dc3d02e2fb5058ae2, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
    2010/11/30 18:17:25.0343 Backup copy found, using it..
    2010/11/30 18:17:25.0578 C:\WINDOWS\system32\DRIVERS\imapi.sys - will be cured after reboot
    2010/11/30 18:17:25.0578 Rootkit.Win32.TDSS.tdl3(Imapi) - User select action: Cure
    2010/11/30 18:17:36.0656 Deinitialize success
    ========
    Download ComboFix from one of these locations:
    Link 1
    Link 2
    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.ComboFix 10-11-27.01 - Trish Baskin 11/30/2010 20:09:29.1.1 - x86

    Running from: c:\documents and settings\Trish Baskin\Desktop\ComboFix.exe

    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    c:\documents and settings\Trish Baskin\GoToAssistDownloadHelper.exe

    c:\documents and settings\Trish Baskin\Recent\chloespannels2.pif

    c:\windows\system32\Packet.dll

    c:\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL

    c:\windows\system32\spool\prtprocs\w32x86\CNMPP7Q.DLL

    c:\windows\system32\wpcap.dll

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    -------\Service_NPF

    ((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))

    .

    2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

    2010-11-22 23:48 . 2010-11-22 23:48 -------- d-----w- c:\program files\Common Files\Adobe AIR

    2010-11-22 23:47 . 2010-11-22 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

    2010-11-10 17:49 . 2010-11-10 17:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

    2010-11-10 17:49 . 2010-11-10 17:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2010-11-30 23:22 . 2004-08-03 23:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Mozilla Quick Launch"="c:\program files\mozilla.org\Mozilla\Mozilla.exe" [2006-04-15 98192]

    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]

    "Google Update"="c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-26 136176]

    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

    "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

    "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

    "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]

    "TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760]

    "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]

    "VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]

    "NovaBackup 7 Tray Control"="c:\program files\StompSoft\PC BackUp\NbkCtrl.exe" [2006-02-21 1204224]

    "OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

    "Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]

    "lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-09-10 676520]

    "lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-09-10 16040]

    "Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-09-10 311976]

    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]

    "Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 19968]

    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

    "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-05 180269]

    c:\documents and settings\Trish Baskin\Start Menu\Programs\Startup\

    HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-12-9 82026]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

    2005-05-21 00:42 73728 ------w- c:\windows\system32\VESWinlogon.dll

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

    2006-10-23 12:50 71216 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

    2006-09-26 00:52 50736 ------w- c:\program files\Common Files\AOL\1159660685\EE\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Program Files\\Reflection\\Rx.exe"=

    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

    "c:\\Program Files\\America Online 9.0\\waol.exe"=

    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

    "c:\\Program Files\\Common Files\\AOL\\1159660685\\EE\\AOLServiceHost.exe"=

    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

    "c:\\WINDOWS\\system32\\lxducoms.exe"=

    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    "c:\\Program Files\\iTunes\\iTunes.exe"=

    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "135:TCP"= 135:TCP:DCOM(135)

    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [5/26/2010 8:35 AM 26352]

    S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

    S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

    S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

    .

    Contents of the 'Scheduled Tasks' folder

    2010-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job

    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-12-01 c:\windows\Tasks\Google Software Updater.job

    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-26 20:49]

    2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-26 23:03]

    2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-26 23:03]

    2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862116228-2044135921-3212181631-1006Core.job

    - c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 23:03]

    2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862116228-2044135921-3212181631-1006UA.job

    - c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 23:03]

    .

    .

    ------- Supplementary Scan -------

    .

    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

    uDefault_Search_URL = hxxp://www.google.com/ie

    uInternet Connection Wizard,ShellNext = iexplore

    uInternet Settings,ProxyOverride = <local>

    uInternet Settings,ProxyServer = http=127.0.0.1:6522

    uSearchAssistant = hxxp://www.google.com/ie

    uSearchURL,(Default) = hxxp://www.pctools.com/mrc/fix_homepage/

    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

    FF - ProfilePath - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\

    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

    FF - prefs.js: network.proxy.ftp - webcache2.east.sun.com

    FF - prefs.js: network.proxy.ftp_port - 8080

    FF - prefs.js: network.proxy.http - webcache2.east.sun.com

    FF - prefs.js: network.proxy.http_port - 8080

    FF - prefs.js: network.proxy.ssl - webcache2.east.sun.com

    FF - prefs.js: network.proxy.ssl_port - 8080

    FF - prefs.js: network.proxy.type - 4

    FF - component: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll

    FF - component: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

    FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll

    FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Move Networks\plugins\npqmp071505000011.dll

    FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

    FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

    FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Mozilla\plugins\npcoolirisplugin.dll

    FF - plugin: c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

    FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll

    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

    FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll

    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

    FF - Extension: Cooliris: piclens@cooliris.com - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\piclens@cooliris.com

    FF - Extension: Kodak EasyShare Gallery Companion: kodak-companion@mozilla.com - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\kodak-companion@mozilla.com

    FF - Extension: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}

    FF - Extension: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{95f24680-9e31-11da-a746-0800200c9a66}

    FF - Extension: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

    FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

    FF - Extension: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}

    FF - Extension: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

    FF - Extension: Verizon Broadband Toolbar: {3DD07E5D-2ADF-42ea-972E-2998FA5CE45A} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{3DD07E5D-2ADF-42ea-972E-2998FA5CE45A}

    FF - Extension: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

    FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

    FF - Extension: Fire.fm: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}

    FF - Extension: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}

    FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}

    FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

    FF - Extension: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker

    FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Trish Baskin\Application Data\Move Networks

    ---- FIREFOX POLICIES ----

    FF - user.js: yahoo.homepage.dontask - true

    .

    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

    HKCU-Run-VZVidgets - (no file)

    HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe

    HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe

    Notify-NavLogon - (no file)

    SafeBoot-klmdb.sys

    MSConfigStartUp-CTFMON - (no file)

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2010-11-30 20:57

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1012)

    c:\windows\system32\VESWinlogon.dll

    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'lsass.exe'(1068)

    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    - - - - - - - > 'explorer.exe'(880)

    c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

    c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

    c:\windows\system32\WPDShServiceObj.dll

    c:\program files\Common Files\aolshare\aolshcpy.dll

    c:\windows\system32\PortableDeviceTypes.dll

    c:\windows\system32\PortableDeviceApi.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\program files\Intel\Wireless\Bin\EvtEng.exe

    c:\program files\Intel\Wireless\Bin\S24EvMon.exe

    c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

    c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

    c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

    c:\progra~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    c:\program files\Bonjour\mDNSResponder.exe

    c:\program files\Java\jre6\bin\jqs.exe

    c:\windows\System32\spool\DRIVERS\W32X86\3\lxduserv.exe

    c:\windows\system32\lxducoms.exe

    c:\program files\Maxtor\Sync\SyncServices.exe

    c:\program files\Common Files\Motive\McciCMService.exe

    c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

    c:\program files\StompSoft\PC BackUp\NMSAccess.exe

    c:\program files\StompSoft\PC BackUp\NSENGINE.exe

    c:\program files\Intel\Wireless\Bin\RegSrvc.exe

    c:\program files\Sony\VAIO Event Service\VESMgr.exe

    c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

    c:\windows\system32\fxssvc.exe

    c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

    c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

    c:\windows\system32\igfxext.exe

    c:\windows\system32\igfxsrvc.exe

    c:\program files\Lexmark 5600-6600 Series\lxduMsdMon.exe

    c:\windows\LOGI_MWX.EXE

    c:\program files\Apoint\Apntex.exe

    c:\program files\Microsoft ActiveSync\wcescomm.exe

    c:\progra~1\MI3AA1~1\rapimgr.exe

    c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe

    c:\program files\WinZip\WZQKPICK.EXE

    c:\program files\OpenOffice.org 3\program\soffice.exe

    c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

    c:\program files\OpenOffice.org 3\program\soffice.bin

    .

    **************************************************************************

    .

    Completion time: 2010-12-01 06:37:27 - machine was rebooted

    ComboFix-quarantined-files.txt 2010-12-01 11:37

    Pre-Run: 60,741,545,984 bytes free

    Post-Run: 60,919,152,640 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

    [boot loader]

    timeout=2

    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

    [operating systems]

    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    UnsupportedDebug="do not select this" /debug

    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /PAE

    - - End Of File - - A460DD3D29EE1ED7718C3FF24B384231

Link to post
Share on other sites

It appears that you may be using a custom proxy these are set by malware most times so I won't remove it at this time.

But do let me know if it is not something you have set.

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Dequarantine::
C:\Qoobox\Quarantine\c\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL.vir

Driver::
TfFsMon
TfSysMon
TfNetMon

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites

Hi Kadah.

I don't remember ever creating a custom proxy. I don't know why I would have. I've rerun Combofix with the CFScript file and the log is posted below. I don't know if it affected the operations of Combofix, but I forgot to disable ZoneAlarm until a couple of seconds after Combofix started. If that invalidates the results, please let me know and I'll run it again.

Thanks,

Trish

It appears that you may be using a custom proxy these are set by malware most times so I won't remove it at this time.

But do let me know if it is not something you have set.

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Dequarantine::
C:\Qoobox\Quarantine\c\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL.vir

Driver::
TfFsMon
TfSysMon
TfNetMon

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

ComboFix 10-11-27.01 - Trish Baskin 12/01/2010 10:21:28.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.227 [GMT -5:00]

Running from: c:\documents and settings\Trish Baskin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Trish Baskin\Desktop\CFScript.txt

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TFFSMON

-------\Legacy_TFNETMON

-------\Legacy_TFSYSMON

-------\Service_TfFsMon

-------\Service_TfNetMon

-------\Service_TfSysMon

((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))

.

2010-12-01 00:53 . 2010-12-01 00:53 -------- d-----w- c:\documents and settings\Trish Baskin\Application Data\Motive

2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-11-22 23:48 . 2010-11-22 23:48 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-11-22 23:47 . 2010-11-22 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-11-10 17:49 . 2010-11-10 17:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2010-11-10 17:49 . 2010-11-10 17:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-30 23:22 . 2004-08-03 23:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mozilla Quick Launch"="c:\program files\mozilla.org\Mozilla\Mozilla.exe" [2006-04-15 98192]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]

"Google Update"="c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-26 136176]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]

"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760]

"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]

"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]

"NovaBackup 7 Tray Control"="c:\program files\StompSoft\PC BackUp\NbkCtrl.exe" [2006-02-21 1204224]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]

"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-09-10 676520]

"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-09-10 16040]

"Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-09-10 311976]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]

"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 19968]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-05 180269]

c:\documents and settings\Trish Baskin\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-12-9 82026]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 00:42 73728 ------w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2006-10-23 12:50 71216 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-09-26 00:52 50736 ------w- c:\program files\Common Files\AOL\1159660685\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Reflection\\Rx.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1159660685\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\WINDOWS\\system32\\lxducoms.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:DCOM(135)

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [5/26/2010 8:35 AM 26352]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [5/26/2010 8:35 AM 493032]

R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]

R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [3/24/2009 6:14 PM 98984]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/26/2010 6:04 PM 136176]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/14/2005 5:29 PM 14336]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-01 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-26 20:49]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-26 23:03]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-26 23:03]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862116228-2044135921-3212181631-1006Core.job

- c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 23:03]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-862116228-2044135921-3212181631-1006UA.job

- c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 23:03]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.pctools.com/mrc/fix_homepage/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

FF - ProfilePath - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: network.proxy.ftp - webcache2.east.sun.com

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.http - webcache2.east.sun.com

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.ssl - webcache2.east.sun.com

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll

FF - component: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll

FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\Trish Baskin\Application Data\Mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\Trish Baskin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Extension: Cooliris: piclens@cooliris.com - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\piclens@cooliris.com

FF - Extension: Kodak EasyShare Gallery Companion: kodak-companion@mozilla.com - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\kodak-companion@mozilla.com

FF - Extension: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}

FF - Extension: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{95f24680-9e31-11da-a746-0800200c9a66}

FF - Extension: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}

FF - Extension: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Extension: Verizon Broadband Toolbar: {3DD07E5D-2ADF-42ea-972E-2998FA5CE45A} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{3DD07E5D-2ADF-42ea-972E-2998FA5CE45A}

FF - Extension: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Extension: Fire.fm: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}

FF - Extension: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}

FF - Extension: FoxTab: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}

FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\documents and settings\Trish Baskin\Application Data\Mozilla\Firefox\Profiles\g5wnwdkb.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Extension: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker

FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Trish Baskin\Application Data\Move Networks

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-01 11:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)

c:\windows\system32\VESWinlogon.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(1072)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(3580)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Common Files\aolshare\aolshcpy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\progra~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxducoms.exe

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\program files\StompSoft\PC BackUp\NMSAccess.exe

c:\program files\StompSoft\PC BackUp\NSENGINE.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\windows\system32\fxssvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Lexmark 5600-6600 Series\lxduMsdMon.exe

c:\program files\Apoint\Apntex.exe

c:\windows\LOGI_MWX.EXE

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe

c:\program files\WinZip\WZQKPICK.EXE

c:\windows\system32\wscntfy.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

.

**************************************************************************

.

Completion time: 2010-12-01 11:40:02 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-01 16:39

ComboFix2.txt 2010-12-01 11:37

C:\DeQuarantine.txt

Pre-Run: 60,893,294,592 bytes free

Post-Run: 60,812,107,776 bytes free

- - End Of File - - C5F555BCF795661682109C2F991D58F4

Link to post
Share on other sites

No problem I just want to make sure about the proxy.

This is what I was referring to:

FF - prefs.js: network.proxy.ftp - webcache2.east.sun.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - webcache2.east.sun.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - webcache2.east.sun.com
FF - prefs.js: network.proxy.ssl_port - 8080

do you recognize any of those entries?

Link to post
Share on other sites

Oops......indeed I do:) I used to work for Sun Microsystems, and those are the settings I used to get behind Sun's firewall 3 years ago, and I haven't used that proxy since. Sorry, totally forgot about it.

No problem I just want to make sure about the proxy.

This is what I was referring to:

FF - prefs.js: network.proxy.ftp - webcache2.east.sun.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - webcache2.east.sun.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - webcache2.east.sun.com
FF - prefs.js: network.proxy.ssl_port - 8080

do you recognize any of those entries?

Link to post
Share on other sites

ok.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    move /y C:\Qoobox\Quarantine\c\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL.vir c:\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL /c

    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"=-
    "ProxyOverride"=-

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Online scan=================================

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

ok.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    move /y C:\Qoobox\Quarantine\c\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL.vir c:\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL /c

    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"=-
    "ProxyOverride"=-

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Online scan=================================

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

OTL Log:

All processes killed

========== FILES ==========

< move /y C:\Qoobox\Quarantine\c\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL.vir c:\windows\system32\spool\prtprocs\w32x86\CNMPD7Q.DLL /c >

C:\Documents and Settings\Trish Baskin\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\Trish Baskin\Desktop\cmd.txt deleted successfully.

========== REGISTRY ==========

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->FireFox cache emptied: 51863001 bytes

->Flash cache emptied: 1259 bytes

User: All Users

User: Contents

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 65536 bytes

->Flash cache emptied: 56502 bytes

User: Liza

User: LocalService

->Temp folder emptied: 2053372 bytes

->Temporary Internet Files folder emptied: 475270 bytes

->Google Chrome cache emptied: 856432 bytes

->Flash cache emptied: 3023 bytes

User: localuser

User: NetworkService

->Temp folder emptied: 1982568 bytes

->Temporary Internet Files folder emptied: 571731 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 2280761 bytes

->Flash cache emptied: 15124 bytes

User: Trish Baskin

->Temp folder emptied: 93672806 bytes

->Temporary Internet Files folder emptied: 112350 bytes

->Java cache emptied: 72131255 bytes

->FireFox cache emptied: 62936858 bytes

->Google Chrome cache emptied: 89000566 bytes

->Apple Safari cache emptied: 1163264 bytes

->Flash cache emptied: 18454189 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 2675729 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 1108429 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 47316838 bytes

Total Files Cleaned = 428.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 12022010_175613

Files\Folders moved on Reboot...

C:\Documents and Settings\Trish Baskin\Local Settings\Temp\~DF6FC7.tmp moved successfully.

C:\WINDOWS\temp\Perflib_Perfdata_91c.dat moved successfully.

C:\WINDOWS\temp\T30DebugLogFile.txt moved successfully.

C:\WINDOWS\temp\ZLT006e1.TMP moved successfully.

Registry entries deleted on Reboot...

Mbam Log:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5235

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

12/2/2010 11:20:19 PM

mbam-log-2010-12-02 (23-20-18).txt

Scan type: Full scan (C:\|)

Objects scanned: 258504

Time elapsed: 3 hour(s), 56 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ESET Log:

ESETSmartInstaller@High as downloader log:

all ok

DLL:pipe not connected. attempts=120

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=94a4e62ed1e97246829823bf63ed7d8f

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-12-03 04:14:36

# local_time=2010-12-03 11:14:36 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 10506564 10506564 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 75 70 0 13143853 0 0

# scanned=109553

# found=1

# cleaned=1

# scan_time=13504

C:\Documents and Settings\Trish Baskin\My Documents\Downloads\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AK application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Great how are things running?

Please open OTL once more and click on Run scan at the top and let me know of any remaining issues.

Things seem to be working fine now. The ouput of latest OTL is below. Doesn't look like it found anything else......many thanks for all your help.

OTL logfile created on: 12/3/2010 10:14:34 PM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Trish Baskin\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 264.00 Mb Available Physical Memory | 53.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free

Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 87.15 Gb Total Space | 54.55 Gb Free Space | 62.59% Space Free | Partition Type: NTFS

Computer Name: TRISH | User Name: Trish Baskin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/02 17:52:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trish Baskin\Desktop\OTL.exe

PRC - [2010/06/23 12:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe

PRC - [2010/06/23 12:51:30 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

PRC - [2010/05/26 08:35:18 | 000,493,032 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe

PRC - [2010/03/19 09:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/01/15 07:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

PRC - [2009/01/09 19:00:52 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin

PRC - [2009/01/09 18:57:32 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe

PRC - [2008/09/10 06:11:12 | 000,676,520 | ---- | M] () -- C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe

PRC - [2008/09/10 06:11:09 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark 5600-6600 Series\lxdumsdmon.exe

PRC - [2008/07/21 15:54:34 | 000,169,312 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe

PRC - [2008/07/21 15:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe

PRC - [2008/05/23 07:58:34 | 000,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxducoms.exe

PRC - [2008/05/23 07:58:22 | 000,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxduserv.exe

PRC - [2008/05/02 07:03:09 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/11/13 12:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe

PRC - [2006/11/13 12:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe

PRC - [2006/11/10 11:00:00 | 000,389,120 | ---- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE

PRC - [2006/10/23 07:50:35 | 000,046,640 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

PRC - [2006/04/14 23:05:00 | 000,098,192 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla.org\Mozilla\mozilla.exe

PRC - [2006/02/23 11:41:02 | 000,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

PRC - [2006/02/21 11:37:08 | 001,204,224 | ---- | M] () -- C:\Program Files\StompSoft\PC BackUp\NBKCTRL.exe

PRC - [2006/02/21 11:37:02 | 000,118,784 | ---- | M] () -- C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe

PRC - [2006/02/21 11:24:50 | 000,045,056 | ---- | M] () -- C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe

PRC - [2005/12/05 09:09:20 | 000,208,941 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe

PRC - [2005/12/05 09:09:17 | 000,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

PRC - [2005/06/29 16:33:42 | 000,086,016 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe

PRC - [2005/06/15 13:17:44 | 000,167,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

PRC - [2005/06/15 13:17:44 | 000,135,168 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

PRC - [2005/06/15 13:17:38 | 000,270,336 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

PRC - [2005/06/03 03:49:40 | 000,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2005/06/03 03:47:44 | 000,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2005/06/03 03:46:28 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

PRC - [2005/05/20 19:41:42 | 000,153,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

PRC - [2005/05/15 07:51:24 | 000,184,320 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

PRC - [2005/02/09 07:43:58 | 000,143,360 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

PRC - [2005/01/31 12:10:44 | 000,192,512 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe

PRC - [2005/01/14 15:43:28 | 000,151,552 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe

PRC - [2004/10/15 15:54:14 | 000,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

PRC - [2004/10/15 15:54:12 | 000,046,768 | ---- | M] (America Online Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

PRC - [2004/04/13 17:03:10 | 000,299,008 | ---- | M] (Palm, Inc.) -- C:\Program Files\palmOne\HOTSYNC.EXE

PRC - [2003/12/17 08:50:00 | 000,019,968 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\LOGI_MWX.EXE

PRC - [2003/11/07 19:21:28 | 000,114,688 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe

PRC - [2003/05/08 11:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

PRC - [2003/02/26 13:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe

PRC - [2001/10/11 17:35:02 | 000,082,026 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

========== Modules (SafeList) ==========

MOD - [2010/12/02 17:52:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Trish Baskin\Desktop\OTL.exe

MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

MOD - [2010/05/26 08:35:24 | 000,640,488 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll

MOD - [2009/07/12 01:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll

MOD - [2006/03/24 10:53:30 | 000,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe -- (navapsvc)

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

SRV - [2010/09/01 14:52:56 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®

SRV - [2010/06/23 12:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)

SRV - [2010/05/26 08:35:18 | 000,493,032 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)

SRV - [2010/03/19 09:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)

SRV - [2008/07/21 15:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)

SRV - [2008/05/23 07:58:34 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxducoms.exe -- (lxdu_device)

SRV - [2008/05/23 07:58:22 | 000,098,984 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe -- (lxduCATSCustConnectService)

SRV - [2006/10/23 07:50:35 | 000,046,640 | ---- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)

SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)

SRV - [2006/02/23 11:41:02 | 000,100,032 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)

SRV - [2006/02/21 11:37:02 | 000,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe -- (NsEngine)

SRV - [2006/02/21 11:24:50 | 000,045,056 | ---- | M] () [Auto | Running] -- C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe -- (NMSAccess)

SRV - [2005/06/15 13:17:46 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)

SRV - [2005/06/15 13:17:44 | 000,167,936 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)

SRV - [2005/06/15 13:17:44 | 000,135,168 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- (VzFw)

SRV - [2005/06/15 13:17:38 | 000,270,336 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)

SRV - [2005/06/07 11:58:28 | 001,851,392 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe -- (VAIOMediaPlatform-IntegratedServer-AppServer)

SRV - [2005/06/07 05:44:10 | 000,770,048 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP)

SRV - [2005/06/07 05:38:26 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP)

SRV - [2005/06/07 05:37:14 | 000,188,416 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe -- (VAIOMediaPlatform-Mobile-Gateway)

SRV - [2005/06/07 03:32:54 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)

SRV - [2005/06/07 03:28:04 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)

SRV - [2005/06/07 03:22:34 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)

SRV - [2005/06/03 07:21:00 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)

SRV - [2005/06/03 03:49:40 | 000,372,809 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)

SRV - [2005/06/03 03:47:44 | 000,086,016 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)

SRV - [2005/06/03 03:46:28 | 000,139,264 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)

SRV - [2005/05/20 19:41:42 | 000,153,600 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)

SRV - [2005/04/05 15:06:36 | 000,032,768 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Image Converter 2\IcVzMon.exe -- (Image Converter video recording monitor for VAIO Entertainment)

SRV - [2005/02/10 14:44:04 | 000,397,312 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe -- (VAIO Entertainment Task Scheduler)

SRV - [2005/02/09 07:43:58 | 000,143,360 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe -- (VAIO Entertainment Aggregation and Control Service)

SRV - [2004/10/15 15:54:14 | 000,100,016 | ---- | M] (America Online, Inc) [Auto | Running] -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)

DRV - [2010/05/26 08:35:10 | 000,026,352 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)

DRV - [2010/05/13 09:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

DRV - [2009/12/04 17:39:46 | 000,071,488 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)

DRV - [2009/12/04 17:39:46 | 000,053,184 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)

DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/05/03 12:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)

DRV - [2007/03/01 19:54:22 | 000,021,056 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)

DRV - [2006/05/05 16:19:50 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)

DRV - [2005/06/29 16:35:10 | 003,173,888 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2005/06/10 12:31:28 | 000,076,800 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifmsony.sys -- (tifmsony)

DRV - [2005/06/09 18:56:00 | 003,192,192 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2005/05/23 12:31:46 | 001,034,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)

DRV - [2005/05/23 12:30:48 | 000,178,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)

DRV - [2005/05/23 12:30:42 | 000,716,288 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2005/05/03 09:03:54 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)

DRV - [2005/04/30 18:01:56 | 003,281,408 | ---- | M] (Intel

Link to post
Share on other sites

You are welcome :(

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.

======================

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

How did I get infected in the first place? Also this one by Tony Klein.

If your computer is slow Things you can do if your computer is slow.

PC Safety and Security - What Do I Need? Security suggestions and general hints and tips for PC security.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.