Jump to content

Recommended Posts

I hate these darn outbound IP things.

Anyway here's the data dumps. Help me, Obi wan.

When I ran this, nothing else was running. (That I knew of...)

***********************************************************************************************************************************

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 7.0.5730.13

Run by XXXX at 17:56:31 on 2011-05-22

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1364 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\Citrix\GoToMyPC\g2svc.exe

C:\Program Files\Citrix\GoToMyPC\g2comm.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Citrix\GoToMyPC\g2pre.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Citrix\GoToMyPC\g2tray.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\ProWin10\32bit\tasksch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Affixa\AffixaTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Documents and Settings\XXXX\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

mStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AffixaHandlerLib.BHO: {5adefb9e-b824-45e6-86e2-2b7941f5d6a3} - mscoree.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [shadow] c:\program files\newtech infosystems\nti shadow 3\Shadow.exe --minimize

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1

uRun: [TaskScheduler] c:\prowin10\32bit\tasksch.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Affixa] c:\program files\affixa\AffixaTray.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: cumberlandcounty.org

Trusted Zone: intuit.com\ttlc

Trusted Zone: mainelandrecords.com\www

Trusted Zone: refund-advantage.com\www

DPF: Microsoft XML Parser for Java

DPF: Web-Based Email Tools - hxxp://email03.secureserver.net/Download.CAB

DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsTV.cab

DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://inotes.adrus.com/dwa85W.cab

DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.refund-advantage.com/pcheck103010/smsx.cab

DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/Dll/RSFCalc.cab

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E}

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://ccllcnc.com/Remote/msrdp.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913}

DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsDP.cab

DPF: {9D27C3FA-6662-4D29-99FB-A58A405FD584} - hxxps://secureshare.prometric.com/COM/MOVEitUploadWizard4.0.0.ocx

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx

DPF: {DE1319F8-DE5B-42EB-9407-4067FB8A09FD} - hxxp://wkforms.com/BuildRelease/wkforms/perform%20plus%20III/release/install.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://intuit.webex.com/client/T27LC/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {CF2F86EA-5FC2-499A-BBD0-24EFF03A193F} = 4.2.2.2,8.8.8.8

Notify: AtiExtEvent - Ati2evxx.dll

Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-28 363344]

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2010-1-22 45824]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]

R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-7-27 14080]

R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-7-27 36352]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-28 20952]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2010-1-22 56960]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-7-27 77056]

S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-1-20 81920]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176]

S2 mrtRate;mrtRate; [x]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-22 1691480]

S3 cpuz132;cpuz132;\??\c:\docume~1\instal~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\instal~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\markha~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2011-5-1 70144]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176]

S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2006-12-16 72704]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2006-3-13 4736]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-3-13 8960]

S3 PortAcc;Spearit Port Access;\??\c:\program files\laplink\pcmover\portacc.sys --> c:\program files\laplink\pcmover\PortAcc.sys [?]

S3 SIWIO;SIWIO;\??\c:\windows\temp\siwio.sys --> c:\windows\temp\SiwIo.sys [?]

S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]

.

=============== Created Last 30 ================

.

2011-05-18 19:04:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-12 17:14:37 1115008 ----a-w- c:\windows\system32\ativvamv.dll

2011-05-12 03:33:19 -------- d-----w- c:\program files\AMD APP

2011-05-12 01:32:25 593920 ------w- c:\windows\system32\ati2sgag.exe

2011-05-12 01:19:05 -------- d-----w- c:\program files\Unibrain

2011-05-11 14:33:43 -------- d-----w- c:\documents and settings\markham & company\application data\Softland

2011-05-11 14:33:12 26960 ----a-w- c:\windows\system32\novamnv7.dll

2011-05-11 14:33:12 21328 ----a-w- c:\windows\system32\novamiv7.dll

2011-05-11 14:32:56 -------- d-----w- c:\documents and settings\markham & company\local settings\application data\PDF Annotator

2011-05-11 14:32:37 -------- d-----w- c:\program files\PDF Annotator

2011-05-09 15:49:50 72080 ----a-w- c:\documents and settings\markham & company\g2mdlhlpx.exe

2011-05-03 16:53:14 -------- d-----w- c:\documents and settings\markham & company\application data\Mapi2Xml

2011-05-03 16:53:04 -------- d-----w- c:\documents and settings\markham & company\application data\Affixa

2011-05-03 16:16:03 -------- d-----w- c:\program files\Affixa

2011-05-03 15:59:40 -------- d-----w- c:\program files\RefundAdvantage2010

2011-05-03 15:59:40 -------- d-----w- c:\program files\Refund Advantage 2010

2011-05-03 15:59:39 -------- d-----w- c:\program files\RA0708

2011-05-02 12:56:29 -------- d-----w- c:\documents and settings\markham & company\local settings\application data\Secunia PSI

2011-05-02 12:56:17 -------- d-----w- c:\program files\Secunia

2011-05-01 21:11:07 -------- d-----w- c:\documents and settings\markham & company\application data\f-secure

2011-05-01 21:10:37 -------- d-----w- c:\documents and settings\all users\application data\F-Secure

2011-05-01 18:22:28 -------- d-----w- C:\Rbackup

2011-05-01 15:32:59 -------- d-----w- c:\program files\ESET

2011-05-01 03:09:16 -------- d-sha-r- C:\cmdcons

2011-05-01 00:38:25 98816 ----a-w- c:\windows\sed.exe

2011-05-01 00:38:25 89088 ----a-w- c:\windows\MBR.exe

2011-05-01 00:38:25 256512 ----a-w- c:\windows\PEV.exe

2011-05-01 00:38:25 161792 ----a-w- c:\windows\SWREG.exe

2011-04-30 15:29:25 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-04-30 15:29:25 -------- d-----w- c:\windows\system32\wbem\Repository

2011-04-28 22:10:58 -------- d-----w- c:\program files\Avira

2011-04-28 22:10:58 -------- d-----w- c:\documents and settings\all users\application data\Avira

.

==================== Find3M ====================

.

2011-05-12 02:57:24 848 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys

2011-04-22 23:08:16 398760 ----a-r- c:\windows\system32\cpnprt2.cid

2011-04-20 02:41:56 6537728 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2011-04-20 02:38:50 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2011-04-20 02:29:06 57344 ----a-w- c:\windows\system32\aticalrt.dll

2011-04-20 02:29:00 53248 ----a-w- c:\windows\system32\aticalcl.dll

2011-04-20 02:24:20 5459968 ----a-w- c:\windows\system32\aticaldd.dll

2011-04-20 02:14:04 17743872 ----a-w- c:\windows\system32\atioglxx.dll

2011-04-20 02:10:32 59904 ----a-w- c:\windows\system32\OVDecode.dll

2011-04-20 02:10:18 51712 ----a-w- c:\windows\system32\OpenCL.dll

2011-04-20 02:10:02 12385280 ----a-w- c:\windows\system32\amdocl.dll

2011-04-20 02:04:00 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll

2011-04-20 02:02:58 302080 ----a-w- c:\windows\system32\ati2dvag.dll

2011-04-20 02:01:50 4017408 ----a-w- c:\windows\system32\ati3duag.dll

2011-04-20 01:45:06 3265920 ----a-w- c:\windows\system32\ativvaxx.dll

2011-04-20 01:44:34 212992 ----a-w- c:\windows\system32\atipdlxx.dll

2011-04-20 01:44:22 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2011-04-20 01:44:14 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2011-04-20 01:44:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2011-04-20 01:43:54 188416 ----a-w- c:\windows\system32\ati2evxx.dll

2011-04-20 01:42:40 643072 ----a-w- c:\windows\system32\ati2evxx.exe

2011-04-20 01:41:22 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2011-04-20 01:40:08 151552 ----a-w- c:\windows\system32\atiapfxx.exe

2011-04-20 01:36:24 651264 ----a-w- c:\windows\system32\atikvmag.dll

2011-04-20 01:34:10 200704 ----a-w- c:\windows\system32\atiadlxx.dll

2011-04-20 01:33:52 17408 ----a-w- c:\windows\system32\atitvo32.dll

2011-04-20 01:30:48 503808 ----a-w- c:\windows\system32\atiok3x2.dll

2011-04-20 01:28:32 851968 ----a-w- c:\windows\system32\ati2cqag.dll

2011-04-20 01:27:32 64512 ----a-w- c:\windows\system32\atimpc32.dll

2011-04-20 01:27:32 64512 ----a-w- c:\windows\system32\amdpcom32.dll

2011-04-20 01:26:26 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 06:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-18 18:32:10 71072 ----a-w- c:\windows\CouponPrinter.ocx

.

============= FINISH: 17:57:32.15 ===============

Attach.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please post a protection log from MBAM.

Next, please reboot to Safe Mode With Networking (tap the F8 key just before Windows starts to load and select the Safe Mode With Networking option from the menu). Do the blocks persist there?

Link to post
Share on other sites

No, it's not happending in safe mode. Also not happening every day, but I guess I don't think

there should be any IP blocks unless they appear to be a false positive.

16:52:23 XYZ & Company IP-BLOCK 208.73.210.29 (Type: outgoing)

16:52:26 XYZ & Company IP-BLOCK 208.73.210.29 (Type: outgoing)

16:52:32 XYZ & Company IP-BLOCK 208.73.210.29 (Type: outgoing)

17:01:06 XYZ & Company IP-BLOCK 208.91.207.65 (Type: outgoing)

17:01:08 XYZ & Company IP-BLOCK 208.91.207.65 (Type: outgoing)

17:01:14 XYZ & Company IP-BLOCK 208.91.207.65 (Type: outgoing)

17:01:33 XYZ & Company IP-BLOCK 208.91.207.65 (Type: outgoing)

17:01:36 XYZ & Company IP-BLOCK 208.91.207.65 (Type: outgoing)

17:01:42 XYZ & Company IP-BLOCK 208.91.207.65 (Type: outgoing)

17:20:36 XYZ & Company MESSAGE Protection started successfully

17:21:55 XYZ & Company MESSAGE IP Protection started successfully

17:24:58 XYZ & Company MESSAGE IP Protection stopped

17:25:07 XYZ & Company MESSAGE Database updated successfully

17:25:11 XYZ & Company MESSAGE IP Protection started successfully

17:53:45 XYZ & Company MESSAGE Protection started successfully

17:54:18 XYZ & Company MESSAGE IP Protection started successfully

17:01:00 XYZ & Company IP-BLOCK 93.174.91.144 (Type: outgoing)

17:01:03 XYZ & Company IP-BLOCK 93.174.91.144 (Type: outgoing)

17:01:09 XYZ & Company IP-BLOCK 93.174.91.144 (Type: outgoing)

19:39:59 XYZ & Company MESSAGE Protection started successfully

19:40:33 XYZ & Company MESSAGE IP Protection started successfully

19:51:53 XYZ & Company MESSAGE Protection started successfully

19:52:15 XYZ & Company MESSAGE IP Protection started successfully

20:05:09 XYZ & Company MESSAGE Protection started successfully

20:05:36 XYZ & Company MESSAGE IP Protection started successfully

21:04:36 XYZ & Company DETECTION C:\Documents and Settings\XYZ & Company\Local Settings\Temporary Internet Files\chpati_rs690amp69wxp.exe Trojan.Agent ALLOW

21:20:20 XYZ & Company DETECTION C:\Documents and Settings\XYZ & Company\Local Settings\Temporary Internet Files\chpati_rs690amp69wxp.exe Trojan.Agent ALLOW

21:59:19 XYZ & Company MESSAGE Protection started successfully

21:59:26 XYZ & Company MESSAGE IP Protection started successfully

22:52:09 XYZ & Company MESSAGE Protection started successfully

22:52:16 XYZ & Company MESSAGE IP Protection started successfully

23:16:52 XYZ & Company MESSAGE Protection started successfully

07:40:24 XYZ & Company IP-BLOCK 46.17.96.229 (Type: outgoing)

07:40:36 XYZ & Company IP-BLOCK 46.17.96.229 (Type: outgoing)

07:40:49 XYZ & Company IP-BLOCK 193.169.40.29 (Type: outgoing)

07:40:52 XYZ & Company IP-BLOCK 193.169.40.29 (Type: outgoing)

07:40:58 XYZ & Company IP-BLOCK 193.169.40.29 (Type: outgoing)

12:53:40 XYZ & Company IP-BLOCK 193.169.40.29 (Type: outgoing)

12:53:45 XYZ & Company IP-BLOCK 46.17.96.229 (Type: outgoing)

12:53:48 XYZ & Company IP-BLOCK 46.17.96.229 (Type: outgoing)

23:17:03 XYZ & Company MESSAGE IP Protection started successfully

Link to post
Share on other sites

I didn't bother to post that file because I recognize it. It has to do with my accounting software and it is a scheduler that automatically loads updates. I have turned it off.

Today, when I walked into my office there was a message from Avira.

BLOCKED: E:/autorun.in.Aug.8 was blocked from running.

I cannot find this in any log file. "E" is a partition on my hard drive.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • 2 months later...

Thanks for un-locking this thread.

Sorry. Was off vacating and I am back. This laptop is still trying to make outbound IPs to Latvia!

Thank goodness Malwarebytes blocks these things.

Here's recent Malwarebyte's log:

11:29:56 IP-BLOCK 91.188.62.42 (Type: outgoing)

11:29:58 IP-BLOCK 91.188.62.42 (Type: outgoing)

11:30:02 IP-BLOCK 91.188.62.42 (Type: outgoing)

17:48:14 IP-BLOCK 62.45.210.64 (Type: outgoing)

17:48:16 IP-BLOCK 62.45.210.64 (Type: outgoing)

17:48:20 IP-BLOCK 62.45.210.64 (Type: outgoing)

PLEASE NOTE THAT THE "TASKSCHEDULER" from ProSeries is part of my accounting software.

Here's the COMBOFIX log:

************************************ComboFix 11-08-13.02 - Computer User 08/15/2011 15:26:45.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.490 [GMT -4:00]

Running from: c:\documents and settings\Computer User\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Laptop User\GoToAssistDownloadHelper.exe

c:\documents and settings\Guest new\gotomypc_540.exe

c:\documents and settings\Computer User\g2mdlhlpx.exe

c:\documents and settings\Computer User\My Documents\~WRL0862.tmp

c:\documents and settings\Computer User\My Documents\~WRL1041.tmp

c:\windows\mainms.vpi

c:\windows\megavid.cdt

c:\windows\muotr.so

c:\windows\system\oeminfo.ini

c:\windows\system32\drivers\icjelaahoqvk.sys

c:\windows\system32\tmp.reg

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_icjelaahoqvk

-------\Service_icjelaahoqvk

.

.

((((((((((((((((((((((((( Files Created from 2011-07-15 to 2011-08-15 )))))))))))))))))))))))))))))))

.

.

2011-08-13 05:35 . 2011-07-20 13:44 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{CB8E56B9-AE81-43DF-80DD-61A3D80EDB17}\mpengine.dll

2011-08-09 04:07 . 2011-07-20 13:44 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-08-09 04:06 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-09 04:03 . 2011-08-09 04:03 -------- d-----w- c:\program files\Windows Defender

2011-08-08 12:34 . 2011-08-08 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer

2011-07-31 01:14 . 2011-07-31 01:14 -------- d-----w- c:\program files\Common Files\Java

2011-07-25 16:25 . 2011-07-25 16:25 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe

2011-07-25 16:25 . 2011-07-25 16:25 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll

2011-07-21 02:43 . 2011-07-21 02:44 -------- d-----w- c:\documents and settings\Guest new\Local Settings\Application Data\Deployment

2011-07-21 00:41 . 2011-07-21 00:41 -------- d-----w- c:\documents and settings\Computer User\Tracing

2011-07-21 00:39 . 2011-05-12 21:32 82696 ----a-w- c:\windows\system32\lmdimon8.dll

2011-07-21 00:39 . 2011-05-12 21:32 82184 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll

2011-07-21 00:39 . 2011-07-21 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-06 14:08 . 2008-06-06 13:04 398760 ----a-r- c:\windows\system32\cpnprt2.cid

2011-07-06 23:52 . 2009-05-17 16:07 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 23:52 . 2009-05-17 16:07 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-05 20:35 . 2011-07-05 20:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-09 19:55 . 2011-05-09 19:55 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TaskScheduler"="c:\prowin10\32bit\tasksch.exe" [2011-08-05 443448]

"PrinterShare"="c:\program files\PrinterShare\paConsole.exe" [2011-02-22 1107456]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]

"nwiz"="nwiz.exe" [2007-11-17 1626112]

"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-08 128560]

"iTunesHelper"="c:\program files\ITunes\iTunesHelper.exe" [2009-09-21 305440]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"HPMVTray"="c:\program files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe" [2007-02-15 964248]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-13 1122304]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 53248]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2005-07-23 188416]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

c:\documents and settings\Laptop User\Start Menu\Programs\Startup\

Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [N/A]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 0 (0x0)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-02-23 02:56 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Computer User^Start Menu^Programs^Startup^Bat - Auto Update.lnk]

path=c:\documents and settings\Computer User\Start Menu\Programs\Startup\Bat - Auto Update.lnk

backup=c:\windows\pss\Bat - Auto Update.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Computer User^Start Menu^Programs^Startup^Last.fm Helper.lnk]

path=c:\documents and settings\Computer User\Start Menu\Programs\Startup\Last.fm Helper.lnk

backup=c:\windows\pss\Last.fm Helper.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-05-27 18:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2007-05-14 20:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]

2007-01-30 21:32 102400 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FJTWAIN Setup]

2004-09-01 16:45 126976 ----a-w- c:\windows\twain_32\Fjscan32\FjtwSetup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FtLnSOP_setup]

2005-01-06 08:16 212992 ----a-w- c:\windows\twain_32\Fjscan32\SOP\FtLnSOP.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2006-07-19 17:03 94208 ----a-w- c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2007-11-17 08:03 81920 ----a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2007-06-08 22:40 128560 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade]

2007-01-22 17:53 212992 ----a-w- c:\program files\Wave Systems Corp\SecureUpgrade.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2007-05-10 15:22 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UniblueSpeedUpMyPC]

2009-04-29 09:45 614696 ----a-w- c:\program files\Uniblue\SpeedUpMyPC\Launcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"Netlogs"=2 (0x2)

"MsSecurity1.209.4"=2 (0x2)

"Bonjour Service"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\TightVNC\\WinVNC.exe"=

"c:\\kav\\kav7\\setup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\ITunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=

"c:\\Program Files\\NewTech Infosystems\\NTI Shadow 3\\Shadow.exe"=

"c:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\CDDIB32.exe"=

"c:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\DIBExplor.exe"=

"c:\\Program Files\\PrinterShare\\paConsole.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2010 9:11 PM 691696]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/10/2008 3:23 PM 3712]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/17/2009 12:07 PM 366640]

R2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\SupportSpace\Support Platform\supportspace_tools.exe [1/20/2008 5:12 PM 308464]

R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 6:25 PM 14080]

R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 6:25 PM 36352]

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 8:00 AM 5120]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 6:43 PM 31896]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/17/2009 12:07 PM 22712]

R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 6:25 PM 77056]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]

S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [10/24/2010 12:10 PM 114704]

S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [3/6/2008 9:09 AM 44928]

S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 2:44 AM 993848]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963105436-2415782456-3906164000-1007Core.job

- c:\documents and settings\Computer User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-01 17:14]

.

2011-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963105436-2415782456-3906164000-1007UA.job

- c:\documents and settings\Computer User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-01 17:14]

.

2011-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963105436-2415782456-3906164000-1009Core.job

- c:\documents and settings\Guest new\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-21 02:44]

.

2011-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963105436-2415782456-3906164000-1009UA.job

- c:\documents and settings\Guest new\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-21 02:44]

.

2011-08-15 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

2011-08-15 c:\windows\Tasks\User_Feed_Synchronization-{E3277B1A-2E11-4D47-B9FF-9A71E056957E}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

LSP: c:\windows\system32\biolsp.dll

Trusted Zone: elance.com\collab

Trusted Zone: elance.com\secure

Trusted Zone: elance.com\www

Trusted Zone: godaddy.com\mya

Trusted Zone: godaddy.com\www

Trusted Zone: google.com\mail

Trusted Zone: google.com\www

Trusted Zone: gotomypc.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: mynutrikids.com\www

Trusted Zone: naea.org\webboard

Trusted Zone: verizonwireless.com\ebillpay

TCP: DhcpNameServer = 8.8.8.8 4.2.2.2

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: Web-Based Email Tools - hxxp://email02.secureserver.net/Download.CAB

DPF: {08653405-44A9-4E99-9C09-DD00770AAA08} - hxxp://www.supportspace.com/rcp/6.0.633.5/SupportSpace_tools.dll

DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} - hxxp://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cab

DPF: {9D27C3FA-6662-4D29-99FB-A58A405FD584} - hxxps://secureshare.prometric.com/COM/MOVEitUploadWizard4.0.0.ocx

FF - ProfilePath - c:\documents and settings\Computer User\Application Data\Mozilla\Firefox\Profiles\sqyq2uvb.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach

FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Computer User\Application Data\Move Networks

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{76DD7730-2951-46D7-80E9-C63D52EE9470} - c:\windows\system32\mljjg.dll

Notify-GoToMyPC - c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

Notify-vtuurpp - (no file)

MSConfigStartUp-8c7514ae - c:\windows\system32\ismjpymd.dll

MSConfigStartUp-AVP - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

MSConfigStartUp-BM8f462732 - c:\windows\system32\twfebqsi.dll

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

MSConfigStartUp-hcfnbocl - c:\windows\system32\tktsfcdi.exe

MSConfigStartUp-iTunesHelper - d:\program files\ITunes\iTunesHelper.exe

MSConfigStartUp-monsrvset - c:\documents and settings\All Users\Application Data\Common\bwnwdujm.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

MSConfigStartUp-webHancer Agent - c:\program files\webHancer\Programs\whagent.exe

AddRemove-Videora iPod Converter - c:\program files\Red Kawa\Video Converter 3\uninstaller.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-15 15:47

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TaskScheduler = c:\prowin10\32bit\tasksch.exe???????A?Ux????+.Tx????L???????:?Ux????????<??????????????NL??????N????n???????0?????Uxo???????$???,??4l???8?????C???????@????4l???l???X?????C??????yA?????d??4P?D?l??????4????D-C??????H@?@?C?????&???!???????@?C?????????????????@?C

.

scanning hidden files ...

.

.

c:\windows\TEMP\TMP000000156E16CC4BE12E28B9 524288 bytes

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(848)

c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'lsass.exe'(904)

c:\windows\system32\biolsp.dll

.

- - - - - - - > 'explorer.exe'(3228)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\biolsp.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\bcmwltry.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\fxssvc.exe

c:\windows\system32\msdtc.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\program files\Brother\ControlCenter3\brccMCtl.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Brother\Brmfcmon\BrMfimon.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-08-15 15:55:03 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-15 19:54

ComboFix2.txt 2008-04-21 22:18

.

Pre-Run: 16,237,953,024 bytes free

Post-Run: 16,976,412,672 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

.

- - End Of File - - FF6E976BC87BC963DE059501D16A21A4

************************************************************************

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Then grab a fresh copy of ComboFix, run it, and post its log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Also run DDS again and post attach.txt

Let me know how things are running now.

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.