Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech Forums - Register now for FREE

We're your place for tech questions. Join 87493 others, and join the conversation. Ask questions. Find answers. Share your ideas and opinions. Browse our community. You'll find experts who enjoy helping others. Who explain technical issues in a non-technical way that anyone can understand. Create an account today (it's 100% free)!

Create an Account Login to Account


Photo

Misc redirects from Bing and Google [Closed]


  • This topic is locked This topic is locked
17 replies to this topic

#1 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 10 March 2013 - 12:22 PM

I get redirected from almost every link I click at Bing and Google. The only way I can go anywhere is to copy and paste directly into the URL bar. I've updated and ran Malwarebytes Antimalware, and it found nothing. This is a work laptop that I use sometimes from home, so this is a particularly urgent matter for me. I would have already run a scan to put in here, but I didn't know what kind to run. Any help appreciated!

#2 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 11 March 2013 - 07:28 AM

Attached is the log file from Hijack This.

I might add that one of the programs that I use for work which depends on Java has stopped functioning, and it apparently coincides with when my browser started doing its redirecting.

----

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:39:12 AM, on 3/11/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CTLInst\CTLInst.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DWRCS.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\Plugins\usage\discusge.exe
C:\Windows\system32\suss.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe
C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\JXD922870\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll
O2 - BHO: CrossriderApp0026276 - {11111111-1111-1111-1111-110211621176} - C:\Program Files\Deal Spy\Deal Spy.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: GetSavin 5.0 - {192EB567-9665-4A18-A080-D8DA0AA74E69} - C:\Documents and Settings\JXD922870\Local Settings\Application Data\getsavin\ie\getsavin_1362885001.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [EDFcsn] C:\Program Files\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -autolaunched
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Updater26276.exe] C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe /extensionid=26276 /extensionname='Deal Spy' /chromeid=dieckmbeafcedhihaiadnaanclccfihd /stayidle /delay=300
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://forums.adobe.com
O15 - Trusted Zone: *.report3.ccsurvey.com
O15 - Trusted Zone: *.confarchives.com
O15 - Trusted Zone: *.conferencing.com
O15 - Trusted Zone: *.conferencinghub.com
O15 - Trusted Zone: doc-share.corp.intranet
O15 - Trusted Zone: learningcenter.corp.intranet
O15 - Trusted Zone: *.directv.com
O15 - Trusted Zone: *.dstoutput.com
O15 - Trusted Zone: *.eqsalespt.com
O15 - Trusted Zone: *.force.com
O15 - Trusted Zone: *.iconf.net
O15 - Trusted Zone: *.intergies.com
O15 - Trusted Zone: *.kclisi01
O15 - Trusted Zone: *.kclisi02
O15 - Trusted Zone: *.kdnibp04
O15 - Trusted Zone: *.Liveperson.net
O15 - Trusted Zone: *.logmeinrescue.com
O15 - Trusted Zone: *.pramata.com
O15 - Trusted Zone: http://rio2ui.prod.com
O15 - Trusted Zone: rio2ui2.prod.com
O15 - Trusted Zone: http://einstein.qintra.com
O15 - Trusted Zone: qsi.qintra.com
O15 - Trusted Zone: sci.qintra.com
O15 - Trusted Zone: http://twist2.qintra.com
O15 - Trusted Zone: http://*.qtomavmpc025
O15 - Trusted Zone: *.qwestccc.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.skillport.com
O15 - Trusted Zone: *.skillwsa.com
O15 - Trusted Zone: *.spw
O15 - Trusted Zone: http://*.ssapps
O15 - Trusted Zone: http://*.ssappsdev
O15 - Trusted Zone: centurylink.teds.com
O15 - Trusted Zone: *.ups.com
O15 - Trusted Zone: http://consultingplu...uswc.uswest.com
O15 - Trusted Zone: http://consultingplu...uswc.uswest.com
O15 - Trusted Zone: http://qtracker.uswc.uswest.com
O15 - Trusted Zone: *.verizonwireless.com
O15 - Trusted Zone: *.visual.force.com
O15 - Trusted Zone: *.vzwcorp.com
O15 - Trusted Zone: *.whmi.biz
O15 - Trusted Zone: *.confarchives.com (HKLM)
O15 - Trusted Zone: *.conferencing.com (HKLM)
O15 - Trusted Zone: *.directv.com (HKLM)
O15 - Trusted Zone: *.iconf.net (HKLM)
O15 - Trusted Zone: http://rio2ui.prod.com (HKLM)
O15 - Trusted Zone: rio2ui2.prod.com (HKLM)
O15 - Trusted Zone: http://einstein.qintra.com (HKLM)
O15 - Trusted Zone: http://epaycce.ad.qintra.com (HKLM)
O15 - Trusted Zone: qsi.qintra.com (HKLM)
O15 - Trusted Zone: sci.qintra.com (HKLM)
O15 - Trusted Zone: http://twist2.qintra.com (HKLM)
O15 - Trusted Zone: *.ups.com (HKLM)
O15 - Trusted Zone: http://consultingplu...uswc.uswest.com (HKLM)
O15 - Trusted Zone: http://consultingplu...uswc.uswest.com (HKLM)
O15 - Trusted Zone: http://qtracker.uswc.uswest.com (HKLM)
O16 - DPF: {538793D5-659C-4639-A56C-A179AD87ED44} (VPNWeb Control) - vpnweb.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://www.cvsphoto....veX_Control.cab
O16 - DPF: {EF55A67E-D9E4-4151-B026-1BE1B535ABFD} (ESDComputerName.ESDGetComputerName) - http://LOCALHOST/ESD...omputerName.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EQ.Intranet
O17 - HKLM\Software\..\Telephony: DomainName = EQ.Intranet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EQ.Intranet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.intranet,dhcp.intranet,ctl.intranet,eq.intranet,ad.qintra.com,qintra.com,us
wc.uswest.com,qwest.net,net.intranet,centurytel.com,cte.net,test.intranet,dev.in
t
ranet,dev.qintra.com,nnet
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.intranet,dhcp.intranet,ctl.intranet,eq.intranet,ad.qintra.com,qintra.com,us
wc.uswest.com,qwest.net,net.intranet,centurytel.com,cte.net,test.intranet,dev.in
t
ranet,dev.qintra.com,nnet
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CMGShieldNP - CmgShieldNP.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CMGShield - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: CTLInst - Unknown owner - C:\Program Files\CTLInst\CTLInst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\SYSTEM32\EMSService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: HP DDMI Agent (prgnDiscAgent) - Unknown owner - C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: User Profile Hive Cleanup (UPHClean) - Windows ® Codename Longhorn DDK provider - C:\Program Files\UPHClean\uphclean.exe
O23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
O23 - Service: DW WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14411 bytes

Edited by tricon7, 11 March 2013 - 07:41 AM.


#3 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 12 March 2013 - 10:01 AM

Bump.

#4 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,938 posts

Posted 12 March 2013 - 11:14 AM

Welcome to the forum.

Download DDS from one of the links below and save it to your desktop:
http://download.blee...om/sUBs/dds.scr
http://download.blee...om/sUBs/dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 or Win 8 right click and select Run as administrator
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.
When done, DDS will open two (2) logs: DDS.txt and Attach.txt
Save both reports to your desktop
Please Copy & Paste the contents of the following logs in your next reply
You can ignore the note about zipping the Attach.txt file

Then.........

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

http://tigzy.geeksto...ueKillerX64.exe <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.


Note:
Removing malware can be unpredictable...things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive


<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.


<+>The removal of malware isn't instantaneous, please be patient.


<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------
(If I don't respond within 24 hours, please send me a PM)

MrC

#5 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 13 March 2013 - 05:37 PM

Just finished work and have just run the scans you requested. Just an FYI - this is my work laptop that stays connected to our network where I'm employed, so there are undoubtedly business applications on it.

Thanks.

---

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/15/2011 5:37:08 PM
System Uptime: 3/12/2013 8:12:39 AM (35 hours ago)
.
Motherboard: Dell Inc. | | 0FT292
Processor: Intel® Core™2 CPU T5500 @ 1.66GHz | Microprocessor | 1664/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 113.513 GiB free.
D: is CDROM ()
M: is NetworkDisk (NTFS) - 5606 GiB total, 2530.897 GiB free.
Y: is NetworkDisk (NTFS) - 4305 GiB total, 2079.706 GiB free.
Z: is NetworkDisk (NTFS) - 4305 GiB total, 2079.706 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Beep
Device ID: ROOT\LEGACY_BEEP\0000
Manufacturer:
Name: Beep
PNP Device ID: ROOT\LEGACY_BEEP\0000
Service: Beep
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0001
Service: vpnva
.
==== System Restore Points ===================
.
RP243: 12/14/2012 1:00:19 PM - System Checkpoint
RP244: 12/17/2012 1:10:18 PM - System Checkpoint
RP245: 12/18/2012 1:20:45 PM - System Checkpoint
RP246: 12/19/2012 5:22:27 PM - System Checkpoint
RP247: 12/21/2012 12:56:56 PM - System Checkpoint
RP248: 12/26/2012 12:50:33 PM - System Checkpoint
RP249: 12/26/2012 11:04:47 PM - Software Distribution Service 3.0
RP250: 12/28/2012 12:52:56 PM - System Checkpoint
RP251: 12/30/2012 10:40:23 PM - System Checkpoint
RP252: 1/2/2013 12:46:30 PM - System Checkpoint
RP253: 1/3/2013 12:52:09 PM - System Checkpoint
RP254: 1/4/2013 1:00:10 PM - System Checkpoint
RP255: 1/7/2013 1:32:35 PM - System Checkpoint
RP256: 1/8/2013 5:14:00 PM - System Checkpoint
RP257: 1/9/2013 5:32:39 PM - System Checkpoint
RP258: 1/11/2013 12:42:44 PM - System Checkpoint
RP259: 1/13/2013 7:54:34 PM - System Checkpoint
RP260: 1/14/2013 8:44:32 PM - System Checkpoint
RP261: 1/15/2013 9:44:36 PM - System Checkpoint
RP262: 1/16/2013 8:06:06 AM - Software Distribution Service 3.0
RP263: 1/17/2013 10:19:30 AM - System Checkpoint
RP264: 1/18/2013 1:02:34 PM - System Checkpoint
RP265: 1/19/2013 1:06:33 PM - System Checkpoint
RP266: 1/20/2013 2:06:34 PM - System Checkpoint
RP267: 1/21/2013 3:46:44 PM - System Checkpoint
RP268: 1/22/2013 5:14:12 PM - System Checkpoint
RP269: 1/23/2013 5:43:15 PM - System Checkpoint
RP270: 1/24/2013 5:52:54 PM - System Checkpoint
RP271: 1/24/2013 11:00:56 PM - Software Distribution Service 3.0
RP272: 1/28/2013 10:33:57 AM - System Checkpoint
RP273: 1/29/2013 11:15:28 AM - System Checkpoint
RP274: 1/30/2013 2:44:49 PM - System Checkpoint
RP275: 1/31/2013 5:15:22 PM - System Checkpoint
RP276: 2/3/2013 7:32:51 PM - Installed HiJackThis
RP277: 2/5/2013 10:40:36 AM - System Checkpoint
RP278: 2/5/2013 7:11:34 PM - 2-5-13 Restore Point
RP279: 2/5/2013 8:13:22 PM - Malwarebytes Anti-Rootkit Restore Point
RP280: 2/7/2013 10:45:22 AM - System Checkpoint
RP281: 2/8/2013 1:19:06 PM - System Checkpoint
RP282: 2/11/2013 1:03:19 PM - System Checkpoint
RP283: 2/12/2013 1:04:16 PM - System Checkpoint
RP284: 2/13/2013 8:13:54 AM - Removed Java™ 7 Update 5
RP285: 2/14/2013 12:57:26 PM - System Checkpoint
RP286: 2/15/2013 1:22:39 PM - System Checkpoint
RP287: 2/18/2013 5:43:40 PM - System Checkpoint
RP288: 2/19/2013 6:54:27 PM - System Checkpoint
RP289: 2/20/2013 7:30:01 PM - System Checkpoint
RP290: 2/21/2013 2:43:12 PM - Software Distribution Service 3.0
RP291: 2/22/2013 5:31:57 PM - System Checkpoint
RP292: 2/23/2013 6:19:07 PM - System Checkpoint
RP293: 2/24/2013 7:06:39 PM - System Checkpoint
RP294: 2/25/2013 8:05:58 PM - System Checkpoint
RP295: 2/26/2013 9:19:25 PM - System Checkpoint
RP296: 2/27/2013 10:05:58 PM - System Checkpoint
RP297: 2/28/2013 10:06:59 PM - System Checkpoint
RP298: 2/28/2013 11:02:58 PM - Software Distribution Service 3.0
RP299: 3/1/2013 11:19:23 PM - System Checkpoint
RP300: 3/2/2013 11:26:04 PM - System Checkpoint
RP301: 3/4/2013 12:11:38 AM - System Checkpoint
RP302: 3/5/2013 1:11:40 AM - System Checkpoint
RP303: 3/6/2013 1:24:43 AM - System Checkpoint
RP304: 3/7/2013 2:23:48 AM - System Checkpoint
RP305: 3/8/2013 3:05:09 AM - System Checkpoint
RP306: 3/10/2013 4:21:46 PM - System Checkpoint
RP307: 3/11/2013 8:32:44 PM - System Checkpoint
RP308: 3/12/2013 9:18:17 PM - System Checkpoint
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 3 (SP3)
Access Snapshot Viewer
Add In Tools 2004.04.15
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.3
Adobe Shockwave Player 12.0
Adobe_Acrobat8AndLowerUninstall_1.0
Agent Desktop Displays
ALPS Touch Pad Driver
Amazon Kindle
App Portal ActiveX Control for Internet Explorer
AutoUpdate
BlueZone
BlueZoneSessions_General_10_12_21
BlueZoneVBA
CCMA ActiveX Controls
CenturyLink Google Search
CenturyLink_Wireless_Config_12_06_07
Cisco AnyConnect 3.0.08057
Cisco AnyConnect Secure Mobility Client
Cisco AnyConnect Secure Mobility Client
Cisco Systems VPN Client 5.0.07.0290
Citrix Presentation Server Client
CMG Windows Shield
Conexant HDA D110 MDC V.92 Modem
Configuration Manager Client
CTL Desktop Migration Tool
CTLInst_6_17
Custom_Company_Screen_Saver_1_2
DameWare Mini Remote Control Client Agent Service
Deal Spy
DivX Codec
DivX Converter
DivX Player
DivX Version Checker
DivX Web Player
DSSO_Config_11_12_14
DW WLAN Card Utility
Embarq .NET Framework Config
Embarq Defrag
Embarq Fonts
Embarq Tag File
Embarq Trebuchet Fonts
Enterprise PDF Printer
EQ_Intranet_Tag
GetSavin
Hewlett-Packard DDMI 9.32.2430
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Office (KB2687329)
HP DDM Inventory Agent (x86) 9.32.000.2421
IE_HOMEPAGE_UPDATE_1_0
IE_ZoneMap_Configuration_11_01_14
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 12
Java 7 Update 13
Java Auto Updater
Java™ 6 Update 30
JavaFX 2.1.1
Kontiki Media Manager
Livelink Explorer Professional 4.8.5
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Conferencing Add-in for Microsoft Office Outlook
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007 R2
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 19.0.2 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
Notepad++
Office_Communicator_SIP_CHANGE_12_01_09
PcTech Password Update
Pirate101
PowerDVD DX
RDC
RealPlayer
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Screen Share 8.1.1
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Skype Click to Call
Skype™ 6.2
Snagit 10
Sonic CinePlayer Decoder Pack
Symantec Endpoint Protection
Symposium_ADD_INI_CFG_09_06_18
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2767848) 32-Bit Edition
User Profile Hive Cleanup Service
VanDyke Software SecureCRT 6.6
VC80CRTRedist - 8.0.50727.762
VLC media player 2.0.5
WebFldrs XP
WIMGAPI
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinPcap_3_1
WinRAR 4.11 (32-bit)
WinRAR_3_50
.
==== Event Viewer Messages From Past Week ========
.
3/9/2013 8:12:58 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
3/9/2013 10:58:51 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
3/9/2013 10:56:48 PM, error: NETLOGON [5719] - No Domain Controller is available for domain EQ due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
3/9/2013 10:56:45 PM, error: CMGShieldReg [8217] - Failed to save settings.
3/12/2013 8:07:13 AM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {05D1D5D8-18D1-4B83-85ED-A0F99D53C885} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
3/11/2013 8:22:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: WPS
3/11/2013 8:22:20 AM, error: Service Control Manager [7000] - The WPS service failed to start due to the following error: The system cannot find the file specified.
3/11/2013 7:57:47 AM, error: NETLOGON [5719] - No Domain Controller is available for domain EQ due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by JXD922870 at 19:24:36 on 2013-03-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.1229 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\CTLInst\CTLInst.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\DWRCS.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\Plugins\usage\discusge.exe
C:\Windows\system32\suss.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe
C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\VanDyke Software\SecureCRT\SecureCRT.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
c:\program files\deal spy\deal spy-bg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nortel\ADD\ADDTabular.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Citrix\ICA Client\wfica32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll
BHO: Deal Spy: {11111111-1111-1111-1111-110211621176} - c:\program files\deal spy\Deal Spy.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: GetSavin 5.0: {192EB567-9665-4A18-A080-D8DA0AA74E69} - c:\documents and settings\jxd922870\local settings\application data\getsavin\ie\getsavin_1362885001.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: LLIEHlprObj Class: {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - c:\program files\open text\livelink explorer\LLBHO3.dll
TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Updater26276.exe] c:\documents and settings\jxd922870\local settings\application data\updater26276\Updater26276.exe /extensionid=26276 /extensionname='Deal Spy' /chromeid=dieckmbeafcedhihaiadnaanclccfihd /stayidle /delay=300
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [EDFcsn] c:\program files\hewlett-packard\discovery agent\plugins\usage\discfcsn.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Cisco AnyConnect Secure Mobility Agent for Windows] "c:\program files\cisco\cisco anyconnect secure mobility client\vpnui.exe" -autolaunched
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\windows\installer\{2624b680-02bc-4cbc-839c-da20df6ef6ec}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoSMBalloonTip = dword:1
uPolicies-Explorer: EditLevel = dword:0
uPolicies-Explorer: NoCommonGroups = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-Explorer: NoWindowsUpdate = dword:1
uPolicies-Explorer: NoWelcomeScreen = dword:1
uPolicies-Explorer: NoAutoUpdate = dword:1
uPolicies-Explorer: DisallowRun = dword:1
uPolicies-DisallowRun: 1 = biprep.exe
uPolicies-DisallowRun: 2 = doom.exe
uPolicies-DisallowRun: 3 = freecell.exe
uPolicies-DisallowRun: 4 = hbinst.exe
uPolicies-DisallowRun: 5 = hbsrv.exe
uPolicies-DisallowRun: 6 = hotbar.exe
uPolicies-DisallowRun: 7 = mshearts.exe
uPolicies-DisallowRun: 8 = pinball.exe
uPolicies-DisallowRun: 9 = poledit.exe
uPolicies-DisallowRun: 10 = quake.exe
uPolicies-DisallowRun: 11 = secretmaker.exe
uPolicies-DisallowRun: 12 = secretmakersetup.exe
uPolicies-DisallowRun: 13 = sol.exe
uPolicies-DisallowRun: 14 = winmine.exe
uPolicies-System: ConnectHomeDirToRoot = dword:0
mPolicies-Explorer: NoMSAppLogo5ChannelNotify = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: RunLogonScriptSync = dword:0
mPolicies-System: HideStartupScripts = dword:1
mPolicies-Windows\System: AllowX-ForestPolicy-and-RUP = dword:1
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
mPolicies-Windows\System: CompatibleRUPSecurity = dword:1
mPolicies-Windows\System: LeaveAppMgmtData = dword:1
mPolicies-Windows\System: SlowLinkUIEnabled = dword:1
mPolicies-Windows\System: UserProfileMinTransferRate = dword:500
mPolicies-Windows\System: SlowLinkTimeOut = dword:2000
mPolicies-Windows\System: ProfileDlgTimeOut = dword:10
mPolicies-Windows\System: SlowLinkProfileDefault = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: confarchives.com
Trusted Zone: conferencing.com
Trusted Zone: conferencinghub.com
Trusted Zone: directv.com
Trusted Zone: dstoutput.com
Trusted Zone: eqsalespt.com
Trusted Zone: force.com
Trusted Zone: iconf.net
Trusted Zone: intergies.com
Trusted Zone: ips.ihost.com
Trusted Zone: kclisi01
Trusted Zone: kclisi02
Trusted Zone: kdnibp04
Trusted Zone: Liveperson.net
Trusted Zone: logmeinrescue.com
Trusted Zone: pramata.com
Trusted Zone: qtomavmpc025
Trusted Zone: qwestccc.com
Trusted Zone: salesforce.com
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
Trusted Zone: spw
Trusted Zone: ssapps
Trusted Zone: ssappsdev
Trusted Zone: ups.com
Trusted Zone: verizonwireless.com
Trusted Zone: visual.force.com
Trusted Zone: vzwcorp.com
Trusted Zone: whmi.biz
Trusted Zone: confarchives.com
Trusted Zone: conferencing.com
Trusted Zone: directv.com
Trusted Zone: iconf.net
Trusted Zone: ips.ihost.com
Trusted Zone: ups.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {538793D5-659C-4639-A56C-A179AD87ED44} - vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {EF55A67E-D9E4-4151-B026-1BE1B535ABFD} - hxxp://LOCALHOST/ESD/ESDComputerName.CAB
TCP: NameServer = 10.206.132.31 10.3.153.115
TCP: Interfaces\{104900BF-14C9-4843-B232-2EFF23044793} : DHCPNameServer = 10.206.132.31 10.3.153.115
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: APPSHAREHKCU - c:\windows\appsharehkcu.EXE
mASetup: CCSCR - c:\windows\CCSCR.EXE
mASetup: Livelink_Explorer_Professional_4_8_5 - c:\program files\open text\livelink explorer\LiveLinkExplorer485_ActiveSetup.EXE /s
mASetup: OCSSIPCHNG - c:\windows\OCSSIPCHNG.EXE /s
mASetup: WinRAR - c:\progra~1\winrar\WinRAR_3_50_config.EXE /s
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jxd922870\application data\mozilla\firefox\profiles\c7tc2z1m.default\
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\jxd922870\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\vlc\npvlc.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_168.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-02-22 00:02; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-03-09 22:26; cca2b8f2-77b0-4282-9533-b31982107a80@ef5174e8-db70-4d61-88df-24b975460bd0.com; c:\documents and settings\jxd922870\application data\mozilla\firefox\profiles\c7tc2z1m.default\extensions\cca2b8f2-77b0-4282-9533-b31982107a80@ef5174e8-db70-4d61-88df-24b975460bd0.com
.
============= SERVICES / DRIVERS ===============
.
R0 CmgHiber;CmgHiber;c:\windows\system32\drivers\CmgHiber.sys [2011-8-25 101736]
R0 CmgPCS;Credant PCS;c:\windows\system32\drivers\CmgPCS.sys [2011-8-25 101088]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2008-8-6 309096]
R0 CMGShieldReg;CMGShieldReg;c:\windows\system32\drivers\CmgShREG.sys [2011-8-25 22888]
R1 CTLInst_;CTLInst_;c:\program files\ctlinst\CTLInst_.sys [2012-5-8 77760]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2012-3-1 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2012-3-1 108456]
R2 CMGShield;CMGShield;c:\windows\system32\CmgShieldSvc.exe [2008-8-6 2672232]
R2 CTLInst;CTLInst;c:\program files\ctlinst\CTLInst.exe [2012-5-8 937984]
R2 EMS;EMS;EMSService.exe --> EMSService.exe [?]
R2 prgnDiscAgent;HP DDMI Agent;c:\program files\hewlett-packard\discovery agent\bin32\discagnt.exe [2012-7-15 826752]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-1-31 3289208]
R2 SU;SU Service;c:\windows\system32\suss.exe [2011-5-31 17168]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2012-3-1 1851224]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\cisco\cisco anyconnect secure mobility client\vpnagent.exe [2012-6-7 478712]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-14 106656]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20130313.002\NAVENG.SYS [2013-3-13 93296]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20130313.002\NAVEX15.SYS [2013-3-13 1603824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-7 161384]
S3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [2013-1-18 38440]
S3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [2013-1-18 57256]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2008-8-6 173672]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-10-28 23888]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-12-16 32512]
S3 RemoteCmd;Remote Command Server;RCMDSVC.EXE --> RCMDSVC.EXE [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2011-5-31 17968]
.
=============== Created Last 30 ================
.
2013-03-10 04:54:20 -------- d-----w- c:\program files\VLC
2013-03-10 03:26:59 -------- d-----w- c:\documents and settings\jxd922870\local settings\application data\Updater26276
2013-03-10 03:26:54 -------- d-----w- c:\program files\Deal Spy
2013-03-10 03:12:11 -------- d-----w- c:\documents and settings\jxd922870\local settings\application data\getsavin
2013-02-27 04:00:14 -------- d-----w- c:\program files\Flexera Software
2013-02-21 20:45:54 -------- d-----r- c:\program files\Skype
2013-02-21 19:51:49 -------- d-----w- c:\windows\system32\Adobe
2013-02-13 13:14:55 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M ====================
.
2013-02-21 19:45:56 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-21 19:45:56 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-13 13:14:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-02-13 13:14:35 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-02-13 13:14:35 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:32:34 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:45:12 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:32:36 1876224 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-26 20:16:29 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16:28 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40:59 385024 ----a-w- c:\windows\system32\html.iec
2012-12-19 23:38:05 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 19:26:50.80 ===============



RogueKiller V8.5.3 [Mar 13 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : JXD922870 [Admin rights]
Mode : Scan -- Date : 03/13/2013 19:33:25
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] Updater26276.exe -- C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Updater26276.exe (C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe /extensionid=26276 /extensionname='Deal Spy' /chromeid=dieckmbeafcedhihaiadnaanclccfihd /stayidle /delay=300) [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2305005450-964744091-3992044339-408550[...]\Run : Updater26276.exe (C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe /extensionid=26276 /extensionname='Deal Spy' /chromeid=dieckmbeafcedhihaiadnaanclccfihd /stayidle /delay=300) [7] -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8A2E9A78)
SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A2C9A78)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x8A6556D0)
SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A704870)
SSDT[43] : NtCreateMutant @ 0x80617748 -> HOOKED (Unknown @ 0x8A309A78)
SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8A6FCE58)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A633258)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9288 -> HOOKED (Unknown @ 0x8A2E6A78)
SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x8A2E7A78)
SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A787A70)
SSDT[114] : NtOpenEvent @ 0x8060F106 -> HOOKED (Unknown @ 0x8A2E1A78)
SSDT[123] : NtOpenProcessToken @ 0x805EDF56 -> HOOKED (Unknown @ 0x8A2BCA78)
SSDT[129] : NtOpenThreadToken @ 0x805EDF74 -> HOOKED (Unknown @ 0x8A323A78)
SSDT[143] : NtQueryDefaultLocale @ 0x80610DB0 -> HOOKED (\SystemRoot\SYSTEM32\Drivers\SysPlant.sys @ 0xA863B720)
SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x8A2C7A78)
SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x8A2BAA78)
SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A328A78)
SSDT[229] : NtSetInformationThread @ 0x805CC154 -> HOOKED (Unknown @ 0x8A31CA78)
SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A2E0A78)
SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x8A2B7A78)
SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A2BEA78)
SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A2B8A78)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x8A2BBA78)
SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A709B40)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x88C23DD8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BEKT-00PVMT0 +++++
--- User ---
[MBR] 1bd8dcc0b0c07f38fbdc03a67834ef23
[BSP] 18b70d9c9645f3508b581b9ff370a325 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152616 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03132013_02d1933.txt >>
RKreport[1]_S_03132013_02d1933.txt

Edited by tricon7, 13 March 2013 - 05:41 PM.


#6 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,938 posts

Posted 13 March 2013 - 05:46 PM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)

[RUN][SUSP PATH] HKCU\[...]\Run : Updater26276.exe (C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe /extensionid=26276 /extensionname='Deal Spy' /chromeid=dieckmbeafcedhihaiadnaanclccfihd /stayidle /delay=300) [7] -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-2305005450-964744091-3992044339-408550[...]\Run : Updater26276.exe (C:\Documents and Settings\JXD922870\Local Settings\Application Data\Updater26276\Updater26276.exe /extensionid=26276 /extensionname='Deal Spy' /chromeid=dieckmbeafcedhihaiadnaanclccfihd /stayidle /delay=300) [7] -> FOUND


Now click Delete on the right hand column under Options

-------------

Next..................

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

~~~~~~~~~~~~~~~~~~~~~~~

Note:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.
Verify that your system is now functioning normally.


MrC

#7 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 14 March 2013 - 01:30 PM

I have to leave town until Monday and the computer has to stay here at work. The rootkit scan took much longer than I anticipated, so I wasn't able to get it done beforehand. Please keep this thread open until I can return Monday to run it again and post the logs. Thanks!

#8 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 19 March 2013 - 10:25 AM

Beginning rootkit scan now. So sorry for the delay. I hope it finishes within an hour.

#9 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 19 March 2013 - 12:14 PM

I ran the MB rootkit program and it found three items, which I deleted, then rebooted. Upon reboot, I tested it and I'm still getting redirected in Firefox. I'll do the rootkit scan again when I get home from work and see if anything else is found. Thanks. --- Malwarebytes Anti-Rootkit BETA 1.01.0.1021 www.malwarebytes.org Database version: v2013.03.19.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 JXD922870 :: EQ221543 [administrator] 3/19/2013 1:15:28 PM mbar-log-2013-03-19 (13-15-28).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 31231 Time elapsed: 47 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Delete on reboot. Registry Values Detected: 1 HKCU\SOFTWARE\CROSSRIDER|215AppVerifier (Adware.GamePlayLab) -> Data: 19a1a72a5ad3bac33a4073c496812392 -> Delete on reboot. Registry Data Items Detected: 1 HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1021 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_30 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.664000 GHz Memory total: 3210788864, free: 1981947904 ------------ Kernel report ------------ 03/14/2013 15:03:31 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys CmgHiber.sys \WINDOWS\system32\DRIVERS\CmgCrypt.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS pciide.sys \WINDOWS\system32\DRIVERS\PCIIDEX.SYS intelide.sys pcmcia.sys MountMgr.sys ftdisk.sys dmload.sys dmio.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltMgr.sys CMGShCEF.sys sr.sys CmgShREG.sys DLACDBHM.SYS DRVMCDB.SYS PxHelp20.sys KSecDD.sys Ntfs.sys NDIS.sys Mup.sys CmgPCS.sys \SystemRoot\system32\DRIVERS\smsmdm.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\igxpmp32.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\bcmwl5.sys \SystemRoot\system32\DRIVERS\b57xp32.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\Apfiltr.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\imapi.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\redbook.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\DamewareMini.sys \SystemRoot\system32\DRIVERS\dne2000.sys \SystemRoot\system32\DRIVERS\dwvkbd.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\teefer2.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\system32\DRIVERS\omci.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\sthda.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\HSXHWAZL.sys \SystemRoot\system32\DRIVERS\HSX_DPV.sys \SystemRoot\system32\DRIVERS\HSX_CNXT.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\System32\Drivers\i2omgmt.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\DLARTL_M.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\System32\Drivers\SYMTDI.SYS \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\System32\drivers\ws2ifsl.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\SYSTEM32\Drivers\SysPlant.sys \SystemRoot\System32\Drivers\SRTSPX.SYS \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys \??\C:\Program Files\CTLInst\CTLInst_.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\System32\Drivers\oz776.sys \SystemRoot\System32\Drivers\SMCLIB.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\igxpgd32.dll \SystemRoot\System32\igxprd32.dll \SystemRoot\System32\igxpdv32.DLL \SystemRoot\System32\igxpdx32.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\System32\Drivers\DRVNDDM.SYS \SystemRoot\System32\Drivers\DLADResM.SYS \SystemRoot\System32\Drivers\DLAIFS_M.SYS \SystemRoot\System32\Drivers\DLAOPIOM.SYS \SystemRoot\System32\Drivers\DLAPoolM.SYS \SystemRoot\System32\Drivers\DLABMFSM.SYS \SystemRoot\System32\Drivers\DLABOIOM.SYS \SystemRoot\System32\Drivers\DLAUDFAM.SYS \SystemRoot\System32\Drivers\DLAUDF_M.SYS \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys \SystemRoot\system32\DRIVERS\srv.sys \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\System32\Drivers\TDTCP.SYS \SystemRoot\System32\Drivers\RDPWD.SYS \SystemRoot\System32\Drivers\SRTSP.SYS \??\C:\WINDOWS\system32\CCM\prepdrv.sys \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130313.034\NAVEX15.SYS \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130313.034\NAVENG.SYS \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\System32\Drivers\SYMREDRV.SYS \SystemRoot\System32\Drivers\Fastfat.SYS \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \Windows\system32\ntdll.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8abc1ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\ Lower Device Object: 0xffffffff8aca9940 Lower Device Driver Name: \Driver\atapi\ Driver name found: atapi Initialization returned 0x0 Load Function returned 0x0 Downloaded database version: v2013.03.14.09 Initializing... Done! <<<2>>> Device number: 0, partition: 1 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8abc1ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8abc2930, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8abc1970, DeviceName: Unknown, DriverName: \Driver\CmgHiber\ DevicePointer: 0xffffffff8abc1ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8accb510, DeviceName: \Device\000000a1\, DriverName: \Driver\ACPI\ DevicePointer: 0xffffffff8aca9940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: Unknown, DriverName: \Driver\CmgHiber\ Upper DeviceData: 0xffffffffe8499218, 0xffffffff8abc1ab8, 0xffffffff88807ab8 Lower DeviceData: 0xffffffffe1fb93d0, 0xffffffff8aca9940, 0xffffffff8842c4c8 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\WINDOWS\system32\drivers... <<<2>>> Device number: 0, partition: 1 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: F287A88E Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 312558592 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 160041885696 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-312561808-312581808)... Done! Performing system, memory and registry scan... Scan Interrupted Done! ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1021 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_30 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.664000 GHz Memory total: 3210788864, free: 1630785536 ------------ Kernel report ------------ 03/19/2013 12:27:07 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys CmgHiber.sys \WINDOWS\system32\DRIVERS\CmgCrypt.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS pciide.sys \WINDOWS\system32\DRIVERS\PCIIDEX.SYS intelide.sys pcmcia.sys MountMgr.sys ftdisk.sys dmload.sys dmio.sys PartMgr.sys VolSnap.sys atapi.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltMgr.sys CMGShCEF.sys sr.sys CmgShREG.sys DLACDBHM.SYS DRVMCDB.SYS PxHelp20.sys KSecDD.sys Ntfs.sys NDIS.sys Mup.sys CmgPCS.sys \SystemRoot\system32\DRIVERS\smsmdm.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\igxpmp32.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\bcmwl5.sys \SystemRoot\system32\DRIVERS\b57xp32.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\Apfiltr.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\imapi.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\redbook.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\DamewareMini.sys \SystemRoot\system32\DRIVERS\dne2000.sys \SystemRoot\system32\DRIVERS\dwvkbd.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\teefer2.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\system32\DRIVERS\omci.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\sthda.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\HSXHWAZL.sys \SystemRoot\system32\DRIVERS\HSX_DPV.sys \SystemRoot\system32\DRIVERS\HSX_CNXT.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\System32\Drivers\i2omgmt.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\DLARTL_M.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\System32\Drivers\SYMTDI.SYS \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\System32\drivers\ws2ifsl.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\SYSTEM32\Drivers\SysPlant.sys \SystemRoot\System32\Drivers\SRTSPX.SYS \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys \??\C:\Program Files\CTLInst\CTLInst_.sys \SystemRoot\System32\Drivers\Cdfs.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\System32\Drivers\oz776.sys \SystemRoot\System32\Drivers\SMCLIB.SYS \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_WMILIB.SYS \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\igxpgd32.dll \SystemRoot\System32\igxprd32.dll \SystemRoot\System32\igxpdv32.DLL \SystemRoot\System32\igxpdx32.DLL \SystemRoot\System32\ATMFD.DLL \SystemRoot\System32\Drivers\DRVNDDM.SYS \SystemRoot\System32\Drivers\DLADResM.SYS \SystemRoot\System32\Drivers\DLAIFS_M.SYS \SystemRoot\System32\Drivers\DLAOPIOM.SYS \SystemRoot\System32\Drivers\DLAPoolM.SYS \SystemRoot\System32\Drivers\DLABMFSM.SYS \SystemRoot\System32\Drivers\DLABOIOM.SYS \SystemRoot\System32\Drivers\DLAUDFAM.SYS \SystemRoot\System32\Drivers\DLAUDF_M.SYS \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\mrxdav.sys \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys \SystemRoot\system32\DRIVERS\srv.sys \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\System32\Drivers\TDTCP.SYS \SystemRoot\System32\Drivers\RDPWD.SYS \SystemRoot\System32\Drivers\SRTSP.SYS \??\C:\WINDOWS\system32\CCM\prepdrv.sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\System32\Drivers\SYMREDRV.SYS \SystemRoot\System32\Drivers\Fastfat.SYS \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130316.006\NAVEX15.SYS \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130316.006\NAVENG.SYS \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \Windows\system32\ntdll.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8abc1ab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\ Lower Device Object: 0xffffffff8aca9940 Lower Device Driver Name: \Driver\atapi\ Device already Exists: 0xffffffff8842c4c8 Downloaded database version: v2013.03.19.08 Initializing... Done! <<<2>>> Device number: 0, partition: 1 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8abc1ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8abc2930, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8abc1970, DeviceName: Unknown, DriverName: \Driver\CmgHiber\ DevicePointer: 0xffffffff8abc1ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8accb510, DeviceName: \Device\000000a1\, DriverName: \Driver\ACPI\ DevicePointer: 0xffffffff8aca9940, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: Unknown, DriverName: \Driver\CmgHiber\ Upper DeviceData: 0xffffffffe1289368, 0xffffffff8abc1ab8, 0xffffffff88807ab8 Lower DeviceData: 0xffffffffe83a7208, 0xffffffff8aca9940, 0xffffffff8842c4c8 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\WINDOWS\system32\drivers... <<<2>>> Device number: 0, partition: 1 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: F287A88E Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 312558592 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 160041885696 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-312561808-312581808)... Done! Performing system, memory and registry scan... Infected: HKCU\SOFTWARE\CROSSRIDER|215AppVerifier --> [Adware.GamePlayLab] Infected: HKCU\SOFTWARE\CROSSRIDER --> [Adware.GamePlayLab] Infected: HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify --> [PUM.Disabled.SecurityCenter] Done! Scan finished Creating System Restore point... Scheduling clean up... <<<2>>> Device number: 0, partition: 1 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Removal successful. No system shutdown is required. ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1021 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_30 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.664000 GHz Memory total: 3210788864, free: 2446835712 Removal queue found; removal started Removal finished =======================================

#10 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,938 posts

Posted 19 March 2013 - 05:09 PM

You don't have to run it again.......

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

#11 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 21 March 2013 - 10:36 AM

My network security program is preventing Combofix from running. I'm going to reboot my laptop in safe mode at 5:00 when I get off work and run it then, then post the log.

#12 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 26 March 2013 - 07:38 AM

I'm unable to get access to my Symantec Endpoint Protection software on my laptop in order to disable it, since I don't have the privileges. However, a network admin is coming by later today to see about gaining access in order to run Combofix. I hope to have it completed today.

#13 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 26 March 2013 - 07:39 AM

Test.

#14 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,938 posts

Posted 26 March 2013 - 07:51 AM

OK, let me know....MrC

#15 tricon7

tricon7

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts
  • Interests:Computers, exercising, writing, origin-science.

Posted 27 March 2013 - 10:10 AM

Okay, I finally ran Combofix. It took about two hours for it to scan, then create a logfile. It did find some things. Here's the file.

---

ComboFix 13-03-24.03 - PCTech 03/27/2013 10:01:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2061 [GMT -4:00]
Running from: c:\documents and settings\JXD922870\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\gjm3958\Local Settings\Application Data\assembly\tmp
c:\documents and settings\jac922662\Local Settings\Application Data\assembly\tmp
c:\documents and settings\JXD922870\Application Data\Secure-Soft Stealer
c:\documents and settings\JXD922870\Local Settings\Application Data\assembly\tmp
c:\windows\InstallDir
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2013-02-27 to 2013-03-27 )))))))))))))))))))))))))))))))
.
.
2013-03-22 15:19 . 2013-03-22 15:19 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-21 20:05 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-20 20:30 . 2013-03-20 20:32 -------- dc-h--w- c:\windows\ie8
2013-03-19 17:59 . 2013-03-19 17:59 15859416 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-03-10 04:55 . 2013-03-10 18:12 -------- d-----w- c:\documents and settings\JXD922870\Application Data\vlc
2013-03-10 04:54 . 2013-03-10 04:55 -------- d-----w- c:\program files\VLC
2013-03-10 03:26 . 2013-03-21 22:35 -------- d-----w- c:\documents and settings\JXD922870\Local Settings\Application Data\Updater26276
2013-03-10 03:26 . 2013-03-10 03:27 -------- d-----w- c:\program files\Deal Spy
2013-03-10 03:12 . 2013-03-10 03:12 -------- d-----w- c:\documents and settings\JXD922870\Local Settings\Application Data\getsavin
2013-02-27 04:00 . 2013-02-27 04:00 -------- d-----w- c:\program files\Flexera Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-22 15:19 . 2012-08-10 15:25 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-22 15:19 . 2012-01-30 13:05 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-22 15:19 . 2012-01-30 13:05 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-20 19:54 . 2012-04-16 18:07 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-20 19:54 . 2011-12-15 22:46 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 00:32 . 2011-05-31 15:01 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2011-05-31 15:01 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2011-05-31 15:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2011-05-31 15:01 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2011-05-31 15:01 385024 ----a-w- c:\windows\system32\html.iec
2013-02-04 00:32 . 2013-02-04 00:32 388096 ----a-r- c:\documents and settings\JXD922870\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-01-26 03:55 . 2011-05-31 15:01 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:32 . 2011-11-06 11:20 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:45 . 2011-11-06 11:20 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:32 . 2011-05-31 15:01 1876224 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2011-05-31 15:01 1292288 ----a-w- c:\windows\system32\quartz.dll
2013-01-02 06:49 . 2011-05-31 15:01 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2008-02-08 02:46 . 2013-03-08 02:22 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2013-03-08 02:22 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2013-03-08 02:22 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2013-03-08 02:22 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2013-03-08 02:22 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2013-03-08 02:22 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2013-03-08 02:22 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2013-03-08 02:22 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2013-03-08 02:22 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2013-03-08 02:22 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2013-03-08 02:22 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2013-03-08 02:22 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2013-03-08 02:22 . 2013-03-08 02:22 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\i386\es.dll
[-] 2008-07-07 12:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
.
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\i386\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2012-07-30 5164632]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-03-01 115624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-02-03 2670592]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-04-02 128232]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2011-08-25 267880]
"EmsService"="EmsServiceHelper.exe" [2011-08-25 2053736]
"EDFcsn"="c:\program files\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe" [2012-07-15 162688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-02 946352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2010-06-01 1461800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-12-28 180269]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2012-06-07 522744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-08-06 85528]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Program Neighborhood Agent.lnk - c:\windows\Installer\{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-12-16 61440]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2011-08-25 23:33 173672 ----a-w- c:\windows\system32\CmgShieldNP.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snagit 10.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snagit 10.lnk
backup=c:\windows\pss\Snagit 10.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service
.
R0 CmgHiber;CmgHiber;c:\windows\system32\drivers\CmgHiber.sys [8/25/2011 7:33 PM 101736]
R0 CmgPCS;Credant PCS;c:\windows\system32\drivers\CmgPCS.sys [8/25/2011 7:34 PM 101088]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [8/6/2008 10:04 AM 309096]
R0 CMGShieldReg;CMGShieldReg;c:\windows\system32\drivers\CmgShREG.sys [8/25/2011 7:33 PM 22888]
R1 CTLInst_;CTLInst_;c:\program files\CTLInst\CTLInst_.sys [5/8/2012 10:04 PM 77760]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 7:00 AM 26624]
R2 CMGShield;CMGShield;c:\windows\system32\CmgShieldSvc.exe [8/6/2008 10:00 AM 2672232]
R2 CTLInst;CTLInst;c:\program files\CTLInst\CTLInst.exe [5/8/2012 10:04 PM 937984]
R2 EMS;EMS;EMSService.exe --> EMSService.exe [?]
R2 prgnDiscAgent;HP DDMI Agent;c:\program files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe [7/15/2012 12:15 AM 826752]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [1/31/2013 11:38 AM 3289208]
R2 SU;SU Service;c:\windows\system32\suss.exe [5/31/2011 11:02 AM 17168]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [6/7/2012 10:34 AM 478712]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 7:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/14/2012 4:41 PM 106656]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/7/2013 2:24 PM 161384]
S3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [1/18/2013 1:05 AM 38440]
S3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [1/18/2013 1:05 AM 57256]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [8/6/2008 10:02 AM 173672]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/28/2010 4:16 PM 23888]
S3 RemoteCmd;Remote Command Server;RCMDSVC.EXE --> RCMDSVC.EXE [?]
S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [5/31/2011 4:44 PM 17968]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##odyssey.nnet#ans]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\Server.exe
\Shell\Open\command - z:\recycler\S-1-5-21-1482476501-3352491937-682996330-1013\Server.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##odyssey.nnet#prov$]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\Server.exe
\Shell\Open\command - RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\Server.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ffc3e18-280f-11e1-9bb1-001c2308c147}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\APPSHAREHKCU]
2011-05-06 17:04 121036 ----a-w- c:\windows\AppShareHKCU.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\CCSCR]
2009-09-28 14:17 121169 ----a-w- c:\windows\CCSCR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Livelink_Explorer_Professional_4_8_5]
2011-04-15 19:50 128027 ----a-w- c:\program files\Open Text\Livelink Explorer\LiveLinkExplorer485_ActiveSetup.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OCSSIPCHNG]
2012-02-17 01:19 121578 ----a-w- c:\windows\OCSSIPCHNG.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\WinRAR]
2005-08-25 18:32 111805 ----a-w- c:\progra~1\WinRAR\WinRAR_3_50_config.EXE
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 19:54]
.
2013-03-27 c:\windows\Tasks\User_Feed_Synchronization-{F2BEEAB4-3D56-4B6B-BFCB-B17B0E912819}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
Trusted Zone: adobe.com\forums
Trusted Zone: ccsurvey.com\*.report3
Trusted Zone: confarchives.com
Trusted Zone: conferencing.com
Trusted Zone: conferencinghub.com
Trusted Zone: corp.intranet\doc-share
Trusted Zone: corp.intranet\learningcenter
Trusted Zone: directv.com
Trusted Zone: dstoutput.com
Trusted Zone: e-invoice.com\qwest26
Trusted Zone: eqsalespt.com
Trusted Zone: force.com
Trusted Zone: iconf.net
Trusted Zone: intergies.com
Trusted Zone: ips.ihost.com
Trusted Zone: kclisi01
Trusted Zone: kclisi02
Trusted Zone: kdnibp04
Trusted Zone: Liveperson.net
Trusted Zone: logmeinrescue.com
Trusted Zone: pramata.com
Trusted Zone: prod.com\rio2ui
Trusted Zone: prod.com\rio2ui2
Trusted Zone: qintra.com\eccpo
Trusted Zone: qintra.com\einstein
Trusted Zone: qintra.com\epaycce.ad
Trusted Zone: qintra.com\qgem.ad
Trusted Zone: qintra.com\qsi
Trusted Zone: qintra.com\qtdenvmpc026.ad
Trusted Zone: qintra.com\rms.ad
Trusted Zone: qintra.com\sci
Trusted Zone: qintra.com\som.ad
Trusted Zone: qintra.com\twist2
Trusted Zone: qtomavmpc025
Trusted Zone: qwestccc.com
Trusted Zone: salesforce.com
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
Trusted Zone: spw
Trusted Zone: ssapps
Trusted Zone: ssappsdev
Trusted Zone: teds.com\centurylink
Trusted Zone: ups.com
Trusted Zone: uswest.com\consultingplusordering.uswc
Trusted Zone: uswest.com\consultingplustraining.uswc
Trusted Zone: uswest.com\qtracker.uswc
Trusted Zone: verizonwireless.com
Trusted Zone: visual.force.com
Trusted Zone: vzwcorp.com
Trusted Zone: whmi.biz
TCP: DhcpNameServer = 10.206.132.31 10.3.153.115
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {538793D5-659C-4639-A56C-A179AD87ED44} - vpnweb.cab
DPF: {EF55A67E-D9E4-4151-B026-1BE1B535ABFD} - hxxp://LOCALHOST/ESD/ESDComputerName.CAB
FF - ProfilePath - c:\documents and settings\JXD922870\Application Data\Mozilla\Firefox\Profiles\c7tc2z1m.default\
FF - prefs.js: browser.startup.homepage - www.bing.com
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-02-22 00:02; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: 2013-03-09 22:26; cca2b8f2-77b0-4282-9533-b31982107a80@ef5174e8-db70-4d61-88df-24b975460bd0.com; c:\documents and settings\JXD922870\Application Data\Mozilla\Firefox\Profiles\c7tc2z1m.default\extensions\cca2b8f2-77b0-4282-9533-b31982107a80@ef5174e8-db70-4d61-88df-24b975460bd0.com
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-27 11:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\CredDB.CEF 296 bytes
c:\windows\Temp\CredDB.CEF 592 bytes
c:\windows\TEMP\CredDB.CEF 592 bytes
c:\windows\Downloaded Program Files\CredDB.CEF 888 bytes
C:\CMG3301d.DAT 320 bytes
c:\documents and settings\JXD922870\Application Data\Adobe\Acrobat\9.0\Security\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Adobe\Acrobat\9.0\Security\CRLCache\CredDB.CEF 644 bytes
c:\documents and settings\JXD922870\Application Data\Adobe\Flash Player\AssetCache\B7SZU8CM\CredDB.CEF 15124 bytes
c:\documents and settings\JXD922870\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Aelita\EMW Backup\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\#SharedObjects\CPX5ADQE\admin.brightcove.com\[[IMPORT]]\79423.analytics.edgekey.net\csma\plugin\csma.swf\CredDB.CEF 612 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\#SharedObjects\CPX5ADQE\cdn.optimatic.com\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\#SharedObjects\CPX5ADQE\secure-uk.imrworldwide.com\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#admin.brightcove.com\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.gigya.com\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.optimatic.com\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#skype.com\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\CredDB.CEF 2718 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Access\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\CryptnetUrlCache\Content\CredDB.CEF 15832 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\CryptnetUrlCache\MetaData\CredDB.CEF 15832 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Document Building Blocks\1033\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\HTML Help\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Internet Explorer\CredDB.CEF 600 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Internet Explorer\UserData\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Office\CredDB.CEF 2072 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Office\Recent\CredDB.CEF 16706 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Outlook\CredDB.CEF 1184 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Signatures\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Templates\CredDB.CEF 888 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\UProof\CredDB.CEF 592 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Web Server Extensions\Cache\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Windows\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Microsoft\Word\CredDB.CEF 598 bytes
c:\documents and settings\JXD922870\Application Data\Mozilla\Firefox\Profiles\c7tc2z1m.default\CredDB.CEF 1184 bytes
c:\documents and settings\JXD922870\Application Data\Notepad++\plugins\config\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Real\RealPlayer\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Skype\hawkeye_avengers\CredDB.CEF 1776 bytes
c:\documents and settings\JXD922870\Application Data\Skype\shared_dynco\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Skype\shared_httpfe\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\Sun\Java\Deployment\security\CredDB.CEF 296 bytes
c:\documents and settings\JXD922870\Application Data\VanDyke\Config\KnownHosts\CredDB.CEF 296 bytes
.
scan completed successfully
hidden files: 43
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1892)
c:\windows\system32\CmgShieldNP.dll
.
- - - - - - - > 'lsass.exe'(1948)
c:\windows\SYSTEM32\SYSFER.DLL
.
- - - - - - - > 'explorer.exe'(4368)
c:\windows\SYSTEM32\SYSFER.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\EMSService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\DWRCS.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Hewlett-Packard\Discovery Agent\Plugins\usage\discusge.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Citrix\ICA Client\PNAMAIN.EXE
c:\windows\system32\EmsServiceHelper.exe
.
**************************************************************************
.
Completion time: 2013-03-27 11:26:25 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-27 15:26
.
Pre-Run: 120,448,327,680 bytes free
Post-Run: 120,825,135,104 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
.
- - End Of File - - 38D224A00FAF44441B8D0BF2BAEBBB16



Similar Topics: Misc redirects from Bing and Google [Closed]     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users