Help!

IE Crashing and Google Hijacked in Mozilla

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  spam from help my computer is DEAD (Hardware Help..  
Author Message
weskelton



Joined: Jul 06, 2009
Posts: 2
PostPosted: Mon Jul 06, 2009 1:07 pm    Post subject: IE Crashing and Google Hijacked in Mozilla
I started having problems last week. MalwareBytes was able to identify and remove a number of Trojans and Backdoor Bots. However, I am still having issues with my browsers. IE seems to be crashing rather frequently (sometimes doesn't start at all). With Mozilla, I am having my Google search results redirected to other non-related pages. Here is a HijackThis log file from today. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:20 PM, on 07/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\AdmHlprS.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Ecm4\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe
C:\SQLLIB\BIN\db2jds.exe
C:\SQLLIB\BIN\db2sec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\IBM\AgentController\bin\ACWinService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\IBM\AgentController\bin\tptpProcessController.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Symantec\SPA\smc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\SUSS.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Configuresoft\CSI Remote Client\CSIRemoteCSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\UTILS\PERL\BIN\perl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\SPA\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Adobe\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\RAD6\runtimes\base_v6\java\bin\java.exe
C:\notes\NLNOTES.EXE
C:\notes\ntaskldr.EXE
C:\RAD6\eclipse\eclipse.exe
C:\RAD6\eclipse\jre\bin\javaw.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.chubb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.chubb.com
F3 - REG:win.ini: run=C:\DOCUME~1\p6248f8.LOC\WinStart.cmd
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [lcfep] "C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe "/Trigger RunAtLogon"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {E24C35CC-CA21-49c1-84CD-E503AA72FE93} - C:\Chbcode\SendCUWIE (file missing)
O9 - Extra 'Tools' menuitem: Send to CUW ECF - {E24C35CC-CA21-49c1-84CD-E503AA72FE93} - C:\Chbcode\SendCUWIE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .NPSSView: C:\PROGRA~1\SEAGAT~1\Viewers\ACTIVE~1\npssview.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.chubb.com
O15 - Trusted Zone: http://www.cbbillreview.com
O15 - Trusted Zone: http://www.clcmetrics.com
O15 - Trusted Zone: http://www.corpedia.com
O15 - Trusted Zone: http://mycompany.elt-inc.com
O15 - Trusted Zone: http://corp.globalenglish.com
O15 - Trusted Zone: http://chubb.imaginatik.com
O15 - Trusted Zone: http://chubbedit.imaginatik.com
O15 - Trusted Zone: http://ping.imaginatik.com
O15 - Trusted Zone: http://chubb.knowledgepathways.com
O15 - Trusted Zone: http://dataconference.presentonline.com
O15 - Trusted Zone: http://pol.presentonline.com
O15 - Trusted Zone: http://www.presentonline.com
O15 - Trusted Zone: http://cf3.skillsoft.com
O15 - Trusted Zone: http://learning.syntrio.com
O15 - Trusted Zone: http://www.syntrio.com
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://www.webtrain.com/cabinet/wt0806.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cb.tcgic.com
O17 - HKLM\Software\..\Telephony: DomainName = cb.tcgic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{712397CA-7D81-4548-AC5F-792C4917D8E2}: Domain = chubb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBA61290-F514-4210-A682-D784EC42F9D2}: Domain = chubb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cb.tcgic.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.20.6.43,167.156.228.116
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.20.6.43,167.156.228.116
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Administrator Helper (AdmHlprS) - Unknown owner - C:\WINDOWS\system32\AdmHlprS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CSI ECM Socket Listener - Unknown owner - C:\WINDOWS\Ecm4\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe
O23 - Service: Configuresoft ECM Remote Client (CSIRemoteC) - Configuresoft, Inc. - C:\Program Files\Configuresoft\CSI Remote Client\CSIRemoteCSvc.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rational Agent Controller - Unknown owner - C:\Program Files\IBM\AgentController\bin\ACWinService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Oracle92RUNClientCache - Unknown owner - c:\oracle\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation. - C:\Program Files\Symantec\SPA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 14309 bytes
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Tue Jul 07, 2009 11:37 pm    Post subject:
Welcome to Lockergnome.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Back to top
AIM Address Yahoo Messenger
weskelton



Joined: Jul 06, 2009
Posts: 2
PostPosted: Fri Jul 24, 2009 12:32 pm    Post subject:
Sorry about the delay, I finally got the OK from our desktop support guy to run ComboFix. Here is the resulting log...

ComboFix 09-07-23.04 - p6248f8 07/24/2009 12:08.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2168 [GMT -4:00]
Running from: \\BRBRS001\home\P6248F8\Chubb Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Protection Agent 5.1 *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\recycler\S-1-5-21-1085806099-4168701361-813958858-500
c:\windows\Installer\51e994.msi
c:\windows\Installer\72364.msp
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\Application Data\twain_32
c:\windows\system32\config\systemprofile\Application Data\twain_32\user.ds
c:\windows\system32\Ijl11.dll
c:\windows\system32\TivoliAP.dll
c:\windows\system32\WT_AUDIOHELPER.EXE


.
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 12:44 . 2009-07-23 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\ECMSVR32.DLL
2009-07-24 12:44 . 2009-06-29 20:11 875728 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\NAVEX15.SYS
2009-07-24 12:44 . 2009-06-29 20:11 87888 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\NAVENG.SYS
2009-07-24 12:44 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\CCERASER.DLL
2009-07-24 12:44 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\NAVEX32A.DLL
2009-07-24 12:44 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\NAVENG32.DLL
2009-07-24 12:44 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\ERASER.SYS
2009-07-24 12:44 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dee03.vdb\EECTRL.SYS
2009-07-23 03:54 . 2009-07-23 03:54 -------- d-s---w- c:\documents and settings\NetworkService.LOC\Temporary Internet Files
2009-07-23 03:54 . 2009-07-23 03:54 -------- d-----w- c:\documents and settings\NetworkService.LOC
2009-07-23 03:43 . 2009-07-23 03:59 -------- d-----w- c:\program files\dthnsv
2009-07-22 12:44 . 2009-07-22 12:47 -------- d-----w- C:\ChubbCertificates
2009-07-21 19:18 . 2009-07-21 19:27 -------- d-----w- C:\ServerTrustStore
2009-07-21 19:17 . 2009-07-21 19:32 -------- d-----w- C:\ServerKeyStore
2009-07-21 19:17 . 2009-07-21 19:38 -------- d-----w- C:\ClientKeyStore
2009-07-21 19:17 . 2009-07-21 19:28 -------- d-----w- C:\ClientTrustStore
2009-07-20 17:12 . 2009-07-20 17:12 -------- d-----w- c:\documents and settings\p6248f8\Local Settings\Application Data\Opera
2009-07-20 17:12 . 2009-07-20 17:12 -------- d-----w- c:\program files\Opera
2009-07-06 16:27 . 2009-07-06 16:27 -------- d-----w- c:\program files\Trend Micro
2009-07-04 04:09 . 2009-07-04 04:09 -------- d-----w- c:\documents and settings\p6248f8\AppData\PKWARE
2009-07-04 04:09 . 2009-07-04 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2009-07-04 03:56 . 2009-07-04 04:16 -------- d-----w- c:\windows\Downloaded Installations
2009-07-04 03:01 . 2009-07-04 03:01 -------- d-----w- c:\program files\PHP
2009-07-02 13:00 . 2009-07-20 12:44 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-02 12:59 . 2009-07-02 12:59 -------- d-----w- c:\documents and settings\p6248f8\AppData\Malwarebytes
2009-07-02 12:59 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 12:59 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 12:59 . 2009-07-02 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 12:58 . 2009-07-20 12:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 03:55 . 2004-08-04 04:56 82944 ----a-w- c:\windows\system32\dllcache\ws2_32.dll
2009-06-28 04:36 . 2009-07-08 05:22 -------- d-----w- C:\Retrosheet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 16:18 . 2008-08-01 13:41 841 -c--a-w- c:\documents and settings\p6248f8.LOC\ShellFolders.ENV.CMD
2009-07-24 16:18 . 2008-08-01 13:41 84 -c--a-w- c:\documents and settings\p6248f8.LOC\WINAPP.ENV.CMD
2009-07-24 16:18 . 2008-08-01 13:41 774 -c--a-w- c:\documents and settings\p6248f8.LOC\WinStart.cmd
2009-07-24 16:18 . 2008-08-01 13:41 635 -c--a-w- c:\documents and settings\p6248f8.LOC\NTLOGON.ENV.CMD
2009-07-24 16:18 . 2008-08-01 13:41 371 -c--a-w- c:\documents and settings\p6248f8.LOC\ShellRestrict.ENV.CMD
2009-07-24 15:55 . 2007-09-17 16:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-24 12:45 . 2008-08-01 13:42 300 ----a-w- c:\documents and settings\p6248f8\3270HOST.CMD
2009-07-24 07:39 . 2008-11-13 16:22 -------- d-----w- c:\documents and settings\p6248f8\AppData\MySQL
2009-07-22 19:29 . 2008-08-04 12:57 -------- d-----w- c:\documents and settings\p6248f8\AppData\AdobeUM
2009-06-25 18:46 . 2009-06-11 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-25 18:46 . 2009-06-11 18:15 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-06-25 18:46 . 2009-06-11 16:52 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-06-25 18:45 . 2009-06-11 18:09 -------- d-----w- c:\program files\MSBuild
2009-06-24 15:57 . 2009-06-24 15:57 70984 ----a-w- c:\windows\java\g2mdlhlpx.exe
2009-06-24 15:56 . 2008-10-13 13:51 -------- d-----w- c:\program files\Citrix
2009-06-24 15:56 . 2009-06-24 15:56 70984 ----a-w- c:\documents and settings\p6248f8\g2mdlhlpx.exe
2009-06-17 16:01 . 2008-08-01 13:40 130 ----a-w- c:\documents and settings\p6248f8\Local Settings\Application Data\fusioncache.dat
2009-06-17 15:16 . 2008-10-02 13:19 96962 ----a-w- c:\windows\Fonts\AdobeFnt07.lst
2009-06-13 02:04 . 2009-06-13 02:04 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-06-12 18:08 . 2009-06-12 18:08 -------- d-----w- c:\documents and settings\p6248f8\AppData\Subversion
2009-06-12 13:11 . 2008-08-01 13:40 66912 ----a-w- c:\documents and settings\p6248f8\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 18:39 . 2009-06-11 18:09 289936 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-11 18:39 . 2009-06-11 18:23 1007488 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\visualstudio\9.0\1033\ResourceCache.dll
2009-06-11 18:37 . 2009-06-11 18:37 -------- d-----w- c:\program files\Business Objects
2009-06-11 18:34 . 2009-06-11 18:30 -------- d-----w- c:\program files\Microsoft SQL Server
2009-06-11 18:32 . 2009-06-11 16:52 -------- d-----w- c:\program files\Microsoft.NET
2009-06-11 18:29 . 2009-06-11 18:29 -------- d-----w- c:\program files\Microsoft Device Emulator
2009-06-11 18:29 . 2009-06-11 18:28 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2009-06-11 18:26 . 2009-06-11 18:26 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-06-11 18:26 . 2009-06-11 18:26 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-06-11 18:23 . 2009-06-11 18:23 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-06-11 18:23 . 2009-06-11 18:00 66472 ----a-w- c:\documents and settings\ncit250\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-11 18:15 . 2009-06-11 18:15 -------- d-----w- c:\program files\Microsoft SDKs
2009-06-11 18:14 . 2009-06-11 18:14 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2009-06-11 18:11 . 2009-06-11 18:11 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-06-11 18:09 . 2009-06-11 18:09 -------- d-----w- c:\program files\Reference Assemblies
2009-06-11 18:04 . 2009-06-11 18:04 -------- d-----w- c:\program files\MSXML 6.0
2009-06-11 17:23 . 2009-06-11 17:23 -------- d-----w- c:\program files\MSDN
2009-06-11 17:10 . 2007-09-21 16:03 -------- d-----w- c:\program files\Microsoft Visual Studio .NET 2003
2009-06-11 17:01 . 2009-06-11 16:52 -------- d-----w- c:\program files\HTML Help Workshop
2009-06-11 16:53 . 2007-09-21 16:03 -------- d-----w- c:\program files\Common Files\Crystal Decisions
2009-06-11 16:52 . 2009-06-11 16:52 -------- d-----w- c:\program files\Microsoft ACT
2009-06-08 20:16 . 2009-06-06 13:09 -------- d-----w- c:\program files\HeidiSQL
2009-06-06 13:09 . 2009-06-06 13:09 -------- d-----w- c:\documents and settings\p6248f8\AppData\HeidiSQL
2009-06-06 13:09 . 2009-06-06 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\HeidiSQL
2009-05-05 14:17 . 2009-05-05 14:17 81920 ----a-w- c:\documents and settings\All Users\Application Data\IBM\Installation Manager\uninstall\launcherLibrary\eclipse_1115.dll
2009-05-05 14:16 . 2008-07-28 18:20 62696 ----a-w- c:\documents and settings\All Users\Application Data\IBM\Installation Manager\uninstall\uninstall.exe
2009-05-05 14:16 . 2008-07-28 18:20 34024 ----a-w- c:\documents and settings\All Users\Application Data\IBM\Installation Manager\uninstall\uninstallc.exe
2009-07-06 11:48 . 2009-07-03 04:19 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2004-08-04 04:56 82944 75078BD75EB83527937A62A088B121DA c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2004-08-04 04:56 82944 75078BD75EB83527937A62A088B121DA c:\windows\system32\ws2_32.dll
[-] 2004-08-04 04:56 82944 75078BD75EB83527937A62A088B121DA c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl]
@="{ba930330-a721-11d3-a7b9-00500464ee16}"
[HKEY_CLASSES_ROOT\CLSID\{ba930330-a721-11d3-a7b9-00500464ee16}]
2007-07-20 16:19 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2]
@="{2030D939-54A7-4fea-9B06-49EA77EFC87F}"
[HKEY_CLASSES_ROOT\CLSID\{2030D939-54A7-4fea-9B06-49EA77EFC87F}]
2007-07-20 16:19 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Sametime Connect"="c:\program files\Lotus\Sametime Client\Connect.exe" [2003-06-29 1302528]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\366\g2mstart.exe" [2009-06-24 31552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2002-07-24 114688]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-07 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-07 208896]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"lcfep"="c:\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" [2008-06-17 122880]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2007-07-20 24576]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2007-07-20 245760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Distillr\acrotray.exe [2003-7-30 217195]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-18 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-6-6 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 21:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 15:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 19:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 15:27 69632 ----a-w- c:\windows\system32\SGLogNotification.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TVT Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [07/20/2007 12:21 PM 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [07/20/2007 12:21 PM 62720]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [10/16/2007 7:33 PM 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 7:32 PM 19504]
R1 SysGuard;SysGuard;c:\windows\system32\drivers\Sysguard.sys [06/17/2008 7:46 AM 44634]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [01/18/2008 11:51 AM 4442]
R2 AdmHlprS;Administrator Helper;c:\windows\system32\AdmHlprS.exe [09/03/2003 12:02 PM 50176]
R2 CSI ECM Socket Listener;CSI ECM Socket Listener;c:\windows\Ecm4\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe [09/21/2007 1:02 PM 720896]
R2 CSIRemoteC;Configuresoft ECM Remote Client;c:\program files\Configuresoft\CSI Remote Client\CSIRemoteCSvc.exe [04/25/2006 5:40 PM 102400]
R2 IBM Rational Agent Controller;IBM Rational Agent Controller;c:\program files\IBM\AgentController\bin\ACWinService.exe [05/05/2009 12:40 PM 69632]
R2 lcfd;Tivoli Endpoint;c:\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe [06/17/2008 7:44 AM 118784]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [03/14/2007 7:48 PM 116416]
R2 SU;SU Service;c:\windows\system32\SUSS.EXE [09/03/2003 12:06 PM 17168]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [02/26/2009 3:26 PM 101936]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [06/18/2008 8:22 AM 114016]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [09/09/2001 8:00 PM 17976]
S3 iAimFP8;iAimFP8;c:\windows\system32\drivers\wADV11NT.sys [12/10/2003 11:02 AM 11935]
S3 IBMTRP;IBM Token-Ring PCI Adapter (Generic);c:\windows\system32\drivers\IBMTRP.SYS [05/08/2003 11:57 AM 109085]
S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [06/08/2007 9:36 AM 81280]
S3 Oracle92RUNClientCache;Oracle92RUNClientCache;c:\oracle\bin\ONRSD.EXE [04/26/2002 7:34 PM 242328]
S3 tpflhlp;tpflhlp;c:\drivers\FLASH\7luj07us\tpflhlp.sys [07/24/2007 5:14 PM 13360]
S3 WinPhlash;WinPhlash;\??\c:\program files\Lenovo\System Update\session\7luj08us\PHLASHNT.SYS --> c:\program files\Lenovo\System Update\session\7luj08us\PHLASHNT.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AccessDataAcrossDomains]
regedit /s c:\utils\AccessDataAcrossDomains.pl

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\accessruntime]
msiexec.exe /i c:\utils\ACCESSRT.MSI ALLUSERS=1 /qb- /lie c:\utils\logs\accessrun.log

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\excelregfix]
msiexec /i c:\utils\excelregfix.msi /qb- /lie c:\utils\logs\excelregfix.log

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\msaccessfix]
c:\windows\regedit /s c:\temp\MDW.reg

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\msword2002regfix]
msiexec /i c:\utils\msword2002regfix.msi /qb- /lie c:\utils\logs\msword2002regfix.log

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MyComputerZone]
regedit /s c:\utils\MyComputerZone.reg

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\snagit6_uninstall]
regedit /s c:\utils\snagit6_uninstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\sre_final]
regedit /s c:\utils\sre_final.reg

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\sre_final.reg]
regedit /s c:\utils\sre_final.reg

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\TurnOffPrintNotifications]
regedit /s c:\utils\TurnOffPrintNotifications.reg
.
Contents of the 'Scheduled Tasks' folder

2009-07-24 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-18 06:22]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_09\bin\jusched.exe
Notify-ACNotify - ACNotify.dll
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.chubb.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{E24C35CC-CA21-49c1-84CD-E503AA72FE93} - c:\chbcode\SendCUWIE
Trusted Zone: att.com\www.webmeeting
Trusted Zone: authoria.com\chubb
Trusted Zone: cbbillreview.com\www
Trusted Zone: chubb.com\hr
Trusted Zone: clcmetrics.com\www
Trusted Zone: corpedia.com\www
Trusted Zone: elt-inc.com\mycompany
Trusted Zone: globalenglish.com\corp
Trusted Zone: imaginatik.com\chubb
Trusted Zone: imaginatik.com\chubbedit
Trusted Zone: imaginatik.com\ping
Trusted Zone: knowledgepathways.com\chubb
Trusted Zone: microsoft.com\msdn
Trusted Zone: presentonline.com\dataconference
Trusted Zone: presentonline.com\pol
Trusted Zone: presentonline.com\www
Trusted Zone: skillsoft.com\cf3
Trusted Zone: syntrio.com\learning
Trusted Zone: syntrio.com\www
Trusted Zone: webhire.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} - hxxp://www.webtrain.com/cabinet/wt0806.cab
FF - ProfilePath - c:\documents and settings\p6248f8\AppData\Mozilla\Firefox\Profiles\tn2ksujd.default\
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 12:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\CHBGINA.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\CHBCRYPT.DLL
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
c:\windows\system32\GetUserSid.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2732)
c:\program files\Utimaco\SafeGuard Easy\SgMsgBhk.dll
c:\windows\system32\msi.dll
c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-07-24 12:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-24 16:29

Pre-Run: 8,704,970,752 bytes free
Post-Run: 8,647,225,344 bytes free

321
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Mon Jul 27, 2009 9:41 pm    Post subject:
If you have desktop support there, you might want that person to take a look at this instead. This sounds like a company computer, so they should have some image for Windows ready at hand and can get your system up and running in a clean state within a very short period of time.

I don't see anything suspicious in the log file. It might have removed some files you will need for your scanner/printer though. So if you have problems, you might have to reinstall the software/drivers for them.

Download GooredFix and save it to your Desktop. Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Otherwise, it will auto-close after it's done.
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum