Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijacked Browsers - Please Help!

Started by 221b , Oct 15 2010 03:10 PM

  • This topic is locked This topic is locked

#16
221b
Posted 23 October 2010 - 12:57 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I was able to successfully delete the trusted sites (I removed those that my company uses) and confirmed they are gone from IE's security settings.

I also reran ComboFix with the supplied TXT file, but it doesn't appear to have done anything differently.

I am still receiving redirects that Malwarebytes Anti-Malware is catching.

Attached are both the requested rescanned OTL and CF log files.

IMPORTANT: One reboot after OTL completed, my laptop again hung so I powered off. When I logged back on as the generic "user" administrator account I created, Windows reset (apparently created a new profile, new IE settings, etc.) as if it were a brand new account. My desktop was blank, but I was able to navigate to C:\documents and settings\user\desktop and access OTL and ComboFix.exe and run them just fine. On another reboot, it took the old settings as these files appeared on my desktop...

Odd.

Attached Files


  • 0

Advertisements

#17
221b
Posted 23 October 2010 - 01:16 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Here's the OTL report:

OTL logfile created on: 10/23/2010 2:59:06 PM - Run 4
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2963 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 91.54 Gb Free Space | 61.41% Space Free | Partition Type: NTFS

Computer Name: AMRNYCLL3CCC3N | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\user\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Tether\TBService.exe ()
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)
PRC - C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited)
PRC - C:\WINDOWS\system32\DTS.exe ()
PRC - C:\WINDOWS\system32\AtService.exe (AuthenTec, Inc.)
PRC - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe ()
PRC - c:\WINDOWS\company\_utils\aPodClient\aPodClientService11.exe (C&C Consultants)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe (Lenovo Group Limited)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)
PRC - C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE (Lenovo Group Limited)
PRC - C:\WINDOWS\system32\TpShocks.exe (Lenovo.)
PRC - C:\WINDOWS\system32\TPHDEXLG.exe (Lenovo.)
PRC - C:\Program Files\Lenovo\ZOOM\TpScrex.exe (Lenovo Group Limited)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ibmpmsvc.exe (Lenovo)
PRC - C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\NetSupport\NetSupport Manager\client32.exe (NetSupport Ltd)
PRC - C:\Program Files\Utimaco\Safeguard Easy\ecview.exe (Utimaco Safeware AG)
PRC - C:\Program Files\Utimaco\Safeguard Easy\WksCfgSrv.exe (Utimaco Safeware AG)
PRC - C:\Program Files\Utimaco\Safeguard Easy\SgeCtl.exe (Utimaco Safeware AG)
PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
PRC - C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe (Gemplus)
PRC - C:\WINDOWS\system32\SgLogPlayer.exe (Utimaco Safeware AG)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\user\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\Program Files\Utimaco\Safeguard Easy\SgMsgBhk.dll (Utimaco Safeware AG)


========== Win32 Services (SafeList) ==========

SRV - (stllssvr) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe File not found
SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe File not found
SRV - (Tether) -- C:\Program Files\Tether\TBService.exe ()
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (hips) -- C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe (McAfee, Inc.)
SRV - (enterceptAgent) -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe (McAfee, Inc.)
SRV - (CcmExec) -- C:\WINDOWS\system32\CCM\CcmExec.exe (Microsoft Corporation)
SRV - (smstsmgr) -- C:\WINDOWS\System32\CCM\TSManager.exe (Microsoft Corporation)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)
SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)
SRV - (ThinkVantage Registry Monitor Service) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited)
SRV - (FingerprintServer) -- C:\WINDOWS\system32\FpLogonServ.exe (AuthenTec,Inc)
SRV - (dtsvc) -- C:\WINDOWS\system32\DTS.exe ()
SRV - (ADMonitor) -- C:\WINDOWS\system32\ADMonitor.exe ()
SRV - (ATService) -- C:\WINDOWS\system32\AtService.exe (AuthenTec, Inc.)
SRV - (Power Manager DBC Service) -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe ()
SRV - (aPodClientService) -- c:\WINDOWS\company\_utils\aPodClient\aPodClientService11.exe (C&C Consultants)
SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (WLANKEEPER) Intel® -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe (Intel® Corporation)
SRV - (S24EventMonitor) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (ExtranetAccess) -- C:\Program Files\Nortel Networks\Extranet_serv.exe (Nortel Networks NA, Inc.)
SRV - (TPHDEXLGSVC) -- C:\WINDOWS\system32\TPHDEXLG.exe (Lenovo.)
SRV - (IBMPMSVC) -- C:\WINDOWS\system32\ibmpmsvc.exe (Lenovo)
SRV - (Client32) -- C:\Program Files\NetSupport\NetSupport Manager\client32.exe (NetSupport Ltd)
SRV - (WksCfgSrv) -- C:\Program Files\Utimaco\Safeguard Easy\WksCfgSrv.exe (Utimaco Safeware AG)
SRV - (SgeCtl) -- C:\Program Files\Utimaco\Safeguard Easy\SgeCtl.exe (Utimaco Safeware AG)
SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
SRV - (GemSAFE Card Server) -- C:\Program Files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe (Gemplus)
SRV - (SgLogPlayer) -- C:\WINDOWS\system32\SgLogPlayer.exe (Utimaco Safeware AG)
SRV - (OracleOraHome92ClientCache) -- C:\Oracle\Ora92\bin\ONRSD.EXE ()


========== Driver Services (SafeList) ==========

DRV - (LMouKE) -- C:\WINDOWS\System32\DRIVERS\LMouKE.Sys File not found
DRV - (LHidUsbK) -- C:\WINDOWS\System32\Drivers\LHidUsbK.Sys File not found
DRV - (kbstuff) -- C:\WINDOWS\System32\DRIVERS\kbstuff5.sys File not found
DRV - (idisw2km) -- C:\WINDOWS\System32\DRIVERS\idisw2km.sys File not found
DRV - (GEARAspiWDM) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys File not found
DRV - (cpuz132) -- C:\DOCUME~1\userM02\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (HIPK) -- C:\WINDOWS\system32\drivers\HIPK.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (HIPPSK) -- C:\WINDOWS\system32\drivers\HIPPSK.sys (McAfee, Inc.)
DRV - (HIPQK) -- C:\WINDOWS\system32\drivers\HIPQK.sys (McAfee, Inc.)
DRV - (firelm01) -- C:\WINDOWS\system32\drivers\firelm01.sys (McAfee, Inc.)
DRV - (FireTDI) -- C:\WINDOWS\system32\drivers\FireTDI.sys (McAfee, Inc.)
DRV - (FirePM) -- C:\WINDOWS\system32\Drivers\FirePM.sys (McAfee, Inc.)
DRV - (qrkis) -- C:\WINDOWS\system32\drivers\qrkis.sys (Tether)
DRV - (prepdrvr) -- C:\WINDOWS\system32\CCM\PrepDrv.sys (Microsoft Corporation)
DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (Lenovo (United States) Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (FirehkMP) -- C:\WINDOWS\system32\drivers\firehk.sys (McAfee, Inc.)
DRV - (Firehk) -- C:\WINDOWS\system32\drivers\firehk.sys (McAfee, Inc.)
DRV - (NETw5x32) Intel® -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (iastor) -- C:\WINDOWS\system32\DRIVERS\iastor.sys (Intel Corporation)
DRV - (smsmdd) -- C:\WINDOWS\system32\drivers\smsmdm.sys (Microsoft Corporation)
DRV - (ATSwpWDF) -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys (AuthenTec, Inc.)
DRV - (TPPWRIF) -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS ()
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (TSMAPIP) -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS ()
DRV - (e1yexpress) Intel® -- C:\WINDOWS\system32\drivers\e1y5132.sys (Intel Corporation)
DRV - (tpm) -- C:\WINDOWS\system32\drivers\tpm.sys (Intel Corporation)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (smihlp) SMI Helper Driver (smihlp) -- C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys (UPEK Inc.)
DRV - (CnxtHdAudService) -- C:\WINDOWS\system32\drivers\CHDAU32.sys (Conexant Systems Inc.)
DRV - (Eacfilt) -- C:\WINDOWS\system32\drivers\eacfilt.sys (Nortel Networks)
DRV - (IPSECSHM) -- C:\WINDOWS\system32\drivers\ipsecw2k.sys (Nortel Networks NA, Inc.)
DRV - (IPSECEXT) -- C:\WINDOWS\system32\drivers\ipsecw2k.sys (Nortel Networks NA, Inc.)
DRV - (Shockprf) -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys (Lenovo.)
DRV - (TPDIGIMN) -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys (Lenovo.)
DRV - (TPHKDRV) -- C:\WINDOWS\system32\drivers\TPHKDRV.sys (Lenovo Group Limited)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (NSCIRDA) -- C:\WINDOWS\system32\drivers\nscirda.sys (National Semiconductor Corporation)
DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (IBMPMDRV) -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys (Lenovo.)
DRV - (HECI) Intel® -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
DRV - (TVTI2C) -- C:\WINDOWS\system32\drivers\tvti2c.sys (Lenovo (United States) Inc.)
DRV - (SgeFlt) -- C:\WINDOWS\SYSTEM32\DRIVERS\SGEFLT.SYS (Utimaco Safeware AG)
DRV - (AES-256) -- C:\WINDOWS\SYSTEM32\DRIVERS\AES256.SYS (Utimaco Safeware AG)
DRV - (PCISys) -- C:\WINDOWS\system32\drivers\pcisys.sys (NetSupport Ltd)
DRV - (gdihook5) -- C:\WINDOWS\system32\drivers\gdihook5.sys (NetSupport Ltd)
DRV - (ATNT40K) -- C:\WINDOWS\SYSTEM32\DRIVERS\ATNT40K.SYS ()
DRV - (DgiVecp) -- C:\WINDOWS\system32\drivers\DGIVECP.SYS (DeviceGuys, Inc.)
DRV - (Symmpi) -- C:\WINDOWS\system32\DRIVERS\symmpi.sys (LSI Logic)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (TwoTrack) -- C:\WINDOWS\system32\drivers\TwoTrack.sys (IBM Corporation)
DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\WINDOWS\system32\drivers\ac97intc.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://world.company.com
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/15 11:02:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/06 09:35:03 | 000,000,000 | ---D | M]

[2010/02/21 14:00:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/31 21:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/07/12 12:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2010/10/23 14:15:14 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll (Google Inc.)
O2 - BHO: (IePasswordManagerHelper Class) - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [cssauth] C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [EdWizard] C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [EZEJMNAP] C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE (Lenovo Group Ltd.)
O4 - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (Authentec,Inc)
O4 - HKLM..\Run: [gemstrmw] C:\WINDOWS\System32\gemstrmw.exe (Gemplus)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [LPMailChecker] C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [LPManager] C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [McAfee Host Intrusion Prevention Tray] C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [pSGEState] C:\Program Files\Utimaco\Safeguard Easy\pSGEState.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries\BIN\RegTool.exe (Gemplus)
O4 - HKLM..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (Lenovo.)
O4 - HKCU..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMSAppLogo5ChannelNotify = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: nodrivetypeautorun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O15 - HKLM\..Trusted Domains: p2l.company.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: company.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: company.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: company.com ([pdocs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: company.com ([pdocsstg] http in Trusted sites)
O15 - HKLM\..Trusted Domains: companyhealthydirections.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: accenture.com ([sms-company] https in Trusted sites)
O15 - HKCU\..Trusted Domains: accenture.com ([sms-company-dev] https in Trusted sites)
O15 - HKCU\..Trusted Domains: p2l.company.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: company.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([*.p2l] https in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([pdocs] http in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([pdocsstg] http in Trusted sites)
O15 - HKCU\..Trusted Domains: companyhealthydirections.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: webex.com ([companyconnect] https in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([*.labs] * in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([*.pr] * in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([*.pri] * in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([*.wai] * in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([*.war] * in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([vanweb.labs] http in Trusted sites)
O15 - HKCU\..Trusted Domains: company.com ([webex] https in Trusted sites)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1287103824578 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} http://u3.sandisk.co...LPInstaller.CAB (CInstallLPCtrl Object)
O16 - DPF: {8D5D65AC-273D-491E-8874-BBB4B63DEA67} http://ecf.company.c...033/DSigRes.cab (DigitalSignatures Resources Control Class)
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} http://java.sun.com/...-131_01-win.cab (Java Plug-in 1.3.1_01)
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_01)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {FCADE536-93F5-4577-80A3-E7C32FAC4C7D} http://qualitycenter...in/Spider10.cab (Loader Class v5)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.company.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (tvt_gina.dll) - C:\WINDOWS\System32\tvt_gina.dll (Lenovo)
O20 - Winlogon\Notify\ATFUS: DllName - C:\WINDOWS\system32\FpWinLogonNp.dll - C:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NotLog: DllName - SGLogEx.dll - C:\WINDOWS\System32\SGLogEx.dll (Utimaco Safeware AG)
O20 - Winlogon\Notify\psfus: DllName - C:\WINDOWS\system32\psqlpwd.dll - C:\WINDOWS\system32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\SGLogNotification: DllName - SGLogNotification.dll - C:\WINDOWS\System32\SGLogNotification.dll (Utimaco Safeware AG)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - C:\Program Files\Lenovo\HOTKEY\tphklock.dll - C:\Program Files\Lenovo\HOTKEY\tphklock.dll (Lenovo Group Limited)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/21 15:39:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/23 14:35:36 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/10/23 13:37:52 | 000,040,328 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\HIPIS0e011b3.dll
[2010/10/22 20:27:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/10/22 19:27:16 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\user\Desktop\HijackThis.exe
[2010/10/22 19:24:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2010/10/22 18:41:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\DoctorWeb
[2010/10/22 18:13:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/10/22 18:09:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Adobe
[2010/10/22 18:08:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Google
[2010/10/22 18:08:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Google
[2010/10/22 18:04:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Identities
[2010/10/22 18:04:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Sun
[2010/10/22 18:02:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\My Documents\My Pictures
[2010/10/22 18:02:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\My Documents\My Music
[2010/10/22 18:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Lenovo
[2010/10/22 17:58:40 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/10/22 17:50:34 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\user\Cookies
[2010/10/22 17:50:32 | 000,000,000 | --SD | C] -- C:\Documents and Settings\user\Application Data\Microsoft
[2010/10/22 17:50:32 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\user\SendTo
[2010/10/22 17:50:32 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\user\Recent
[2010/10/22 17:50:32 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\user\Application Data
[2010/10/22 17:50:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\Start Menu
[2010/10/22 17:50:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\My Documents
[2010/10/22 17:50:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\Favorites
[2010/10/22 17:50:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\user\Templates
[2010/10/22 17:50:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\user\PrintHood
[2010/10/22 17:50:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\user\NetHood
[2010/10/22 17:50:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\user\Local Settings
[2010/10/22 17:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Microsoft
[2010/10/22 17:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Macromedia
[2010/10/22 17:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Intel
[2010/10/22 17:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop
[2010/10/22 17:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Apple Computer
[2010/10/22 17:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Apple Computer
[2010/10/18 16:08:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/10/18 16:08:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/10/18 16:08:42 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/10/18 16:08:42 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/10/18 09:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Driver Whiz
[2010/10/16 10:06:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/10/16 01:29:23 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/10/16 01:25:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/16 01:24:45 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/16 01:24:36 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/10/15 16:29:21 | 000,000,000 | ---D | C] -- C:\2060e3e07a73307b53
[2010/10/15 10:46:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2010/10/14 22:40:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/10/14 19:14:46 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/10/13 13:09:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server

========== Files - Modified Within 30 Days ==========

[2010/10/23 15:12:02 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{7064549A-867A-4424-B1B6-1B44E64DA9AF}.job
[2010/10/23 15:03:56 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-879983540-682003330-508785UA.job
[2010/10/23 15:03:56 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/10/23 14:34:40 | 003,884,040 | R--- | M] () -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2010/10/23 14:19:36 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2010/10/23 14:19:03 | 000,040,866 | ---- | M] () -- C:\WINDOWS\System32\api_hook_list.dat
[2010/10/23 14:17:52 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010/10/23 14:17:51 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/23 14:17:47 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/23 14:16:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/23 14:16:19 | 2072,010,752 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/23 14:16:16 | 000,000,008 | ---- | M] () -- C:\WINDOWS\System32\pcisys.ntk
[2010/10/23 14:15:14 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/10/22 19:25:33 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\user\Desktop\HijackThis.exe
[2010/10/22 18:05:51 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/10/22 18:05:45 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2010/10/22 17:34:15 | 051,074,008 | ---- | M] () -- C:\Documents and Settings\user\Desktop\rjm2sk4f.exe
[2010/10/22 17:24:27 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/10/22 12:53:01 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-879983540-682003330-508785Core.job
[2010/10/16 01:29:30 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/10/15 09:41:54 | 000,461,076 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/15 09:41:54 | 000,077,704 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/15 08:23:10 | 000,255,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/14 17:14:03 | 000,007,305 | ---- | M] () -- C:\WirelessDiagLog.csv
[2010/10/05 16:25:00 | 000,420,605 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101014-185119.backup
[2010/09/23 15:43:59 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

========== Files Created - No Company Name ==========

[2010/10/23 14:19:03 | 000,040,866 | ---- | C] () -- C:\WINDOWS\System32\api_hook_list.dat
[2010/10/23 13:37:52 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010/10/22 21:29:50 | 2072,010,752 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/22 19:45:05 | 003,884,040 | R--- | C] () -- C:\Documents and Settings\user\Desktop\ComboFix.exe
[2010/10/22 18:05:51 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/10/22 18:05:45 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2010/10/22 18:05:30 | 000,001,481 | ---- | C] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2010/10/22 17:58:43 | 051,074,008 | ---- | C] () -- C:\Documents and Settings\user\Desktop\rjm2sk4f.exe
[2010/10/18 16:08:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/10/18 16:08:43 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/10/18 16:08:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/10/18 16:08:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/10/18 16:08:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/10/16 01:29:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/10/16 01:29:27 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/10/14 17:13:37 | 000,007,305 | ---- | C] () -- C:\WirelessDiagLog.csv
[2010/09/11 18:42:48 | 000,000,033 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini
[2010/09/11 18:36:46 | 000,000,090 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/09/11 18:34:09 | 000,001,264 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2010/07/08 10:32:03 | 000,091,154 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2010/07/08 10:09:10 | 000,000,223 | ---- | C] () -- C:\WINDOWS\mercury.ini
[2010/01/31 16:49:09 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/10/19 22:36:04 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgHtmHlp040C.Dll
[2009/10/19 22:36:04 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgHtmHlp0409.Dll
[2009/10/19 22:36:04 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgHtmHlp0407.Dll
[2009/10/19 22:36:04 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgeMigWz040C.DLL
[2009/10/19 22:36:04 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgeMigWz0407.DLL
[2009/10/19 22:36:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\SgeCompConfig.dll
[2009/10/19 22:36:01 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\SGE_MSG0409.dll
[2009/10/19 22:36:01 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\SgeCtlps.Dll
[2009/10/19 22:36:01 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\SgeComp040C.dll
[2009/10/19 22:36:01 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\SgeComp0409.dll
[2009/10/19 22:36:01 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\SgeComp0407.dll
[2009/10/19 22:36:01 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\SgeAdm040C.dll
[2009/10/19 22:36:01 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\SgeAdm0407.dll
[2009/10/19 22:36:01 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgeDrse040C.dll
[2009/10/19 22:36:01 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgeDrse0407.dll
[2009/10/19 22:36:01 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SGECRYPT040C.Dll
[2009/10/19 22:36:01 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SGECRYPT0407.Dll
[2009/10/19 22:36:01 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgeAdm0409.dll
[2009/10/19 22:36:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SGE_ERR040C.dll
[2009/10/19 22:36:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SGE_ERR0409.dll
[2009/10/19 22:36:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SGE_ERR0407.dll
[2009/10/19 22:36:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SGE_MSG040C.dll
[2009/10/19 22:36:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SGE_MSG0407.dll
[2009/10/19 22:36:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\SecClassFactoryPs.dll
[2009/10/19 22:36:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\PropManager040C.dll
[2009/10/19 22:36:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\PropManager0407.dll
[2009/10/19 22:36:00 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\propmanager0409.dll
[2009/10/19 22:36:00 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\Evt_Msg040C.dll
[2009/10/19 22:36:00 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\Evt_Msg0407.dll
[2009/10/19 22:36:00 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\EDWizard0407.Dll
[2009/10/19 22:36:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SGE_INFO040C.dll
[2009/10/19 22:36:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SGE_INFO0409.dll
[2009/10/19 22:36:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SGE_INFO0407.dll
[2009/10/19 22:36:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgChall040C.Dll
[2009/10/19 22:36:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\SgChall0407.Dll
[2009/10/19 22:36:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\Evt_Msg0409.dll
[2009/10/19 22:35:59 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\WksCfgSrvps.dll
[2009/10/19 22:35:59 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\EDWizard040C.Dll
[2009/10/19 22:35:59 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\DCOMSec0409.dll
[2009/10/19 22:35:59 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\EcView040C.dll
[2009/10/19 22:35:59 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\EcView0407.dll
[2009/10/19 22:35:59 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\CHGSAL040C.Dll
[2009/10/19 22:35:59 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\CHGSAL0407.Dll
[2009/09/26 19:58:47 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2009/09/22 16:20:47 | 000,001,136 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/09/16 08:39:46 | 000,048,586 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xpif-v02030a.dtd
[2009/09/16 04:31:30 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/09/16 04:31:29 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/09/16 04:31:29 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/09/16 04:31:29 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/09/16 04:31:29 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/09/16 04:31:29 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/09/16 04:30:49 | 000,000,184 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/09/16 04:27:10 | 000,004,608 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2009/09/16 04:26:33 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2009/09/15 16:43:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/15 16:23:07 | 000,000,218 | ---- | C] () -- C:\WINDOWS\ORAODBC.INI
[2009/09/15 16:09:47 | 005,243,027 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\OfflineVaultPH.log
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/11/13 16:38:05 | 000,000,455 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/10/22 14:15:12 | 000,036,912 | ---- | C] () -- C:\WINDOWS\System32\pcimsg.dll
[2008/10/22 14:15:12 | 000,020,536 | ---- | C] () -- C:\WINDOWS\System32\pcivdd.dll
[2008/10/21 18:16:49 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2008/10/21 16:22:46 | 000,000,344 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.ini
[2008/10/21 11:28:21 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/09/05 14:14:14 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4990.dll
[2007/08/16 16:17:50 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2007/01/03 11:24:36 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/01/03 11:22:46 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/01/03 11:22:14 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/09/29 20:52:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\jdde.dll
[2005/12/21 17:57:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll
[2005/12/21 17:54:34 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll
[2005/09/22 13:16:12 | 000,051,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2005/03/31 11:27:18 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\SGCleanLocalGPO.dll
[2004/05/24 18:33:18 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\ArcotOCSPUtil.dll
[2004/04/02 14:01:22 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2002/03/13 15:46:46 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2001/07/31 10:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

< End of report >
  • 0

#18
Essexboy
Posted 23 October 2010 - 01:37 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Combofix is still reporting winlogon and explorer as being infected

Do you have access to your windows cd or another computer running the same flavour of windows ?

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that
  • 0

#19
221b
Posted 23 October 2010 - 03:05 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I don't have access to a Windows CD (assuming to run the Microsoft Recovery Tool).

I've rerun Dr. Web as instructed and attached the log file.
  • 0

#20
Essexboy
Posted 23 October 2010 - 03:12 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK do you have access to another XPSP3 computer where we can take a copy of winlogon and explorer ?

Also after dr web I would like to run this programme - it is a lot faster

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#21
221b
Posted 23 October 2010 - 04:35 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Yes, I have another laptop with XPSP3. Should I grab Winlogon.exe from C:\windows\system32 and Explorer.exe from C:\windows?

Here's the log (nothing found):

2010/10/23 18:32:30.0078 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/23 18:32:30.0078 ================================================================================
2010/10/23 18:32:30.0078 SystemInfo:
2010/10/23 18:32:30.0078
2010/10/23 18:32:30.0078 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/23 18:32:30.0078 Product type: Workstation
2010/10/23 18:32:30.0078 ComputerName: AMRNYCLL3CCC3N
2010/10/23 18:32:30.0078 UserName: user
2010/10/23 18:32:30.0078 Windows directory: C:\WINDOWS
2010/10/23 18:32:30.0078 System windows directory: C:\WINDOWS
2010/10/23 18:32:30.0078 Processor architecture: Intel x86
2010/10/23 18:32:30.0078 Number of processors: 2
2010/10/23 18:32:30.0078 Page size: 0x1000
2010/10/23 18:32:30.0078 Boot type: Normal boot
2010/10/23 18:32:30.0078 ================================================================================
2010/10/23 18:32:30.0390 Initialize success
2010/10/23 18:32:31.0562 ================================================================================
2010/10/23 18:32:31.0562 Scan started
2010/10/23 18:32:31.0562 Mode: Manual;
2010/10/23 18:32:31.0562 ================================================================================
2010/10/23 18:32:34.0093 ================================================================================
2010/10/23 18:32:34.0093 Scan finished
2010/10/23 18:32:34.0093 ================================================================================
2010/10/23 18:33:09.0859 ================================================================================
2010/10/23 18:33:09.0859 Scan started
2010/10/23 18:33:09.0859 Mode: Manual;
2010/10/23 18:33:09.0859 ================================================================================
2010/10/23 18:33:12.0250 ================================================================================
2010/10/23 18:33:12.0250 Scan finished
2010/10/23 18:33:12.0250 ================================================================================
  • 0

#22
Essexboy
Posted 24 October 2010 - 04:13 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes please and if you could place them at C:\ i.e C:\explorer.exe and C:\winlogon.exe . Then once done run this script for Combofix. At least at the end of this it should be squeaky clean


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy::
C:\explorer.exe|C:\windows\explorer.exe
C:\winlogon.exe|C:\windows\system32\winlogon.exe


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new OTListit log.

  • 0

#23
221b
Posted 24 October 2010 - 12:28 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
So I just executed CF and it blue screened reporting something to the effect that a critical system process was terminated (I believe it was winlogon as a result of the copy). I rebooted and am still getting popups reported by Anti-malware.

I'm rerunning both OTL and CF now, without scripts, and will post logs.

I'm not sure if the file copy happened, however the timestamps on both of them are the same as those I copied from my clean machine...

Thoughts?
  • 0

#24
Essexboy
Posted 24 October 2010 - 12:30 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I will check on that once I see the cf log - the timestamps will be of last modification date :D
  • 0

#25
221b
Posted 24 October 2010 - 01:05 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Combo fix is reporting that the files are infect so I'm not sure if the copying was successful. It also deleted the two others in the root drive so I have to recopy them over.

I'll do that now and rerun CF with the file copy script above.
  • 0

Advertisements

#26
221b
Posted 24 October 2010 - 01:08 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Here's the last CF log (it's not really going to tell you much since I don't think the copy was successful, but I wanted to post).

Attached Files


  • 0

#27
221b
Posted 24 October 2010 - 01:13 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
ComboFix is now blue screening with "DRIVER_IRQL_NOT_LESS_OR_EQUAL" error when I try to run the fcopy script. Will try once again...
  • 0

#28
221b
Posted 24 October 2010 - 02:48 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
So I booted to safe mode after copying the files over to the root of C: again and reran the script. It reported that both were infected and looks to have copied the files as well (it ran fine through to completion).

However, I reran CF by itself immediately afterwards and it reported that both files are still infected still.

So, either the files I copied over are infected or the copying script is not working. To the former, I ran CF on the "clean" machine and it did not report them as being infected. To the later, I noticed that the files were deleted by CF. I'm assuming this is post the file copy?

Ideas?
  • 0

#29
221b
Posted 24 October 2010 - 03:03 PM

221b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Here are the pre and post fcopy script CF logs...

Attached Files


  • 0

#30
Essexboy
Posted 24 October 2010 - 03:11 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I think I know what is happening Combofix is deleteing the files before it does the copy phase

So lets use OTL instead first copy the two files to your C drive as before

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    C:\windows\explorer.exe|C:\explorer.exe /replace
    C:\windows\system32\winlogon.exe|C:\winlogon.exe /replace

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP