PDA

View Full Version : Unknown virus


chad5411
2010-10-19, 17:45
I have lots of errors in my event log under administrative tools saying something about crypt32
This is a copy of my combofix log. Please help!!!
This is a company computer which is part of a domain. I've been experiencing browser redirects as well as the pc starting up during the night only when the network cable is plugged in.


ComboFix 10-10-18.05 - troy 10/19/2010 10:24:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1976.1464 [GMT -4:00]
Running from: c:\documents and settings\Troy\Desktop\Virus Programs\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Troy\My Documents\regold.reg

.
((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-18 19:33 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-18 17:38 . 2010-10-18 17:38 -------- d-----w- c:\documents and settings\Troy\Local Settings\Application Data\Sunbelt Software
2010-10-18 17:38 . 2010-10-18 17:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-10-18 17:38 . 2010-10-18 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-18 17:38 . 2010-10-18 17:38 -------- d-----w- c:\program files\Lavasoft
2010-10-18 17:03 . 2010-10-18 17:03 -------- d-----w- c:\program files\CCleaner
2010-10-18 14:21 . 2010-10-18 14:21 74624 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-10-18 14:21 . 2010-10-18 14:21 -------- d-----w- c:\program files\Prevx
2010-10-18 14:20 . 2010-10-18 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-10-18 13:53 . 2010-10-18 13:53 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-18 13:53 . 2010-10-18 13:53 -------- d-----w- c:\documents and settings\Troy\log
2010-10-14 18:28 . 2010-10-14 18:28 -------- d-----w- c:\documents and settings\Troy\Application Data\Malwarebytes
2010-10-14 18:28 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-14 18:28 . 2010-10-14 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-14 18:28 . 2010-10-14 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-14 18:28 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-13 17:44 . 2010-10-13 17:44 -------- d-----w- c:\documents and settings\Troy\Application Data\Roxio Log Files
2010-10-13 17:04 . 2010-10-13 17:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-11 18:12 . 2010-10-11 18:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-11 15:46 . 2010-10-12 13:48 0 ----a-w- c:\windows\Xsutuxerux.bin
2010-10-05 21:18 . 2008-04-14 12:42 221184 ------w- c:\windows\system32\wmpns.dll
2010-10-05 21:18 . 2010-10-05 21:18 -------- d-----w- c:\documents and settings\Troy.TROYNOTEBOOK
2010-09-23 12:54 . 2010-09-23 12:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2010-09-23 12:28 . 2003-12-11 15:15 44544 ------w- c:\windows\system32\MSXML4a.dll
2010-09-23 11:42 . 2010-09-23 11:42 -------- d-----w- c:\documents and settings\Troy\Local Settings\Application Data\ESET
2010-09-23 11:41 . 2010-09-23 11:41 -------- d-----w- c:\program files\ESET
2010-09-23 11:41 . 2010-09-23 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-09-22 17:34 . 2010-09-22 17:34 -------- d-----w- c:\documents and settings\Troy\Application Data\deskPDF
2010-09-22 17:33 . 2009-01-12 18:45 20886 ------w- c:\windows\system32\ddmon.dll
2010-09-21 13:52 . 2010-09-21 13:52 -------- d-----w- c:\windows\SchCache
2010-09-21 13:50 . 2010-09-21 13:50 -------- d--h--w- c:\documents and settings\Administrator\InstallAnywhere
2010-09-21 13:39 . 2010-09-21 13:42 246552 ----a-w- c:\windows\User Profile Migration Service.exe
2010-09-21 13:28 . 2010-09-21 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-09-21 13:24 . 2010-09-21 13:35 -------- d-----w- c:\documents and settings\troy.VINTAGETRAILERS
2010-09-21 12:55 . 2010-09-21 13:34 -------- d-----w- c:\windows\system32\NtmsData
2010-09-21 12:54 . 2010-09-21 12:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\HTC
2010-09-21 12:16 . 2010-09-21 12:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Teleca
2010-09-21 12:15 . 2010-09-21 12:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-20 18:45 . 2010-09-20 19:42 -------- d-----w- c:\documents and settings\Troy\Application Data\FreeFileSync
2010-09-20 18:45 . 2010-09-20 18:45 -------- d-----w- c:\program files\FreeFileSync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-01-09 2393376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AccelerometerSysTrayApplet"="c:\windows\System32\accelerometerST.exe" [2009-01-23 82488]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-28 298536]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-03-10 506936]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-07-27 288312]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2/20/2009 1:20 PM 109216]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2/20/2009 1:20 PM 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2/20/2009 1:20 PM 12960]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 7:14 AM 24064]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 1:28 PM 95896]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2/20/2009 1:20 PM 12528]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [11/27/2007 8:42 PM 185896]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Bioscrypt [8/4/2004 4:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Bioscrypt [8/4/2004 4:00 AM 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [10/3/2008 4:33 PM 1185016]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [8/12/2010 2:16 PM 810144]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2/20/2009 1:18 PM 256544]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [9/6/2009 3:20 PM 77824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 3:46 AM 1355928]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 RPakIO;RPakIO;c:\windows\system32\drivers\RPakIO.sys [2/24/2010 12:10 PM 37768]
R3 5U876UVC;HP Webcam [2 MP series];c:\windows\system32\drivers\5U876.sys [12/24/2009 10:06 PM 118656]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [9/6/2009 3:22 PM 228408]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [12/24/2009 10:00 PM 109568]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [8/6/2008 5:43 PM 32256]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [8/6/2008 6:24 PM 349432]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [3/26/2009 1:13 PM 45056]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [4/29/2010 12:07 PM 24576]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 3:46 AM 15008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Bioscrypt REG_MULTI_SZ ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-01-09 23:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 07:46]

2010-10-13 c:\windows\Tasks\Troy_SyncJob.job
- c:\documents and settings\Troy\My Documents\Troy_SyncJob.ffs_batch [2010-09-20 18:47]
.
.
------- Supplementary Scan -------
.
TCP: {9DDABF64-0BD8-4628-9B47-252E2E030A25} = 192.168.10.253,198.77.116.8
FF - ProfilePath - c:\documents and settings\Troy\Application Data\Mozilla\Firefox\Profiles\d4qk3v75.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x896C9EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba11cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef3852
\Driver\iaStor -> iaStor.sys @ 0xb9e51988
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel(R) WiFi Link 5100 AGN -> SendCompleteHandler -> NDIS.sys @ 0xb9d12bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d01a0d
SendHandler -> NDIS.sys @ 0xb9d15b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3828644255-660960353-2589796490-1117\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{599CF8BB-9239-72BE-E928-E78A203931FC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eajmapogcf"=hex:66,61,64,6d,64,6d,61,6f,61,6d,70,61,00,31
"dagmfplg"=hex:64,62,66,63,64,6b,61,62,70,62,63,6b,6b,66,66,67,66,6b,6e,63,64,
6c,66,6d,65,64,64,65,66,6a,6c,6c,64,6c,6e,61,67,70,64,6f,00,00
"iabbbdmgobahadpihp"=hex:6a,61,61,61,68,6c,6c,66,62,64,6a,6f,70,61,61,65,66,6b,
6a,66,00,00
"halcdffhmhcibofl"=hex:6a,61,61,61,68,6c,6c,66,62,64,6a,6f,70,61,61,65,66,6b,
6a,66,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1020)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4756)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\system32\msdtc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\mqsvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Common Files\Teleca Shared\logger.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-10-19 10:40:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-19 14:40

Pre-Run: 104,469,057,536 bytes free
Post-Run: 104,991,129,600 bytes free

- - End Of File - - 112E3F42B6562E337495FF3C9E0146D3
tashi
2010-10-19, 18:22
Hello chad5411,


This is a copy of my combofix log. Please help!!!
This is a company computer which is part of a domain. I've been experiencing browser redirects as well as the pc starting up during the night only when the network cable is plugged in.

Sorry to hear of the issues but it appears you missed this forum's stickies/FAQS. From "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

In particular, Personal computers or..... (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

Also note for your own reference the reason behind, Please do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806)

Best regards.
chad5411
2010-10-19, 19:51
I'm sorry for jumping the gun with my previous post. I am the IT tech at my place of employment. The owner is requesting that I reformat his hard drive however, rather not head down that path just yet. I have ran Erunt and these are the results of the dds.


DDS (Ver_10-10-10.03) - NTFSx86
Run by troy at 12:47:37.43 on Tue 10/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1976.1151 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Bioscrypt
c:\Program Files\Fingerprint Sensor\AtService.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\mqtgsvc.exe
c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\WINDOWS\System32\accelerometerST.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
c:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Troy\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BHO_Startup Class: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\accelerometerST.exe
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {9DDABF64-0BD8-4628-9B47-252E2E030A25} = 192.168.10.253,198.77.116.8
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\troy\applic~1\mozilla\firefox\profiles\d4qk3v75.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2009-2-20 109216]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2009-2-20 51408]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-2-20 12960]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-8-3 95896]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2009-2-20 12528]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-11-27 185896]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Bioscrypt [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Bioscrypt [2004-8-4 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-10-3 1185016]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-8-12 810144]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2009-2-20 256544]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2009-9-6 77824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1355928]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 RPakIO;RPakIO;c:\windows\system32\drivers\RPakIO.sys [2010-2-24 37768]
R3 5U876UVC;HP Webcam [2 MP series];c:\windows\system32\drivers\5U876.sys [2009-12-24 118656]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-9-6 228408]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-12-24 109568]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-8-6 32256]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2008-8-6 349432]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2009-3-26 45056]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-4-29 24576]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15008]

============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2010-10-19 15:03:36 -------- d-----w- C:\ComboFix
2010-10-19 14:18:19 98816 ----a-w- c:\windows\sed.exe
2010-10-19 14:18:19 77312 ----a-w- c:\windows\MBR.exe
2010-10-19 14:18:19 256512 ----a-w- c:\windows\PEV.exe
2010-10-19 14:18:19 161792 ----a-w- c:\windows\SWREG.exe
2010-10-18 19:33:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-18 17:38:48 -------- d-----w- c:\docume~1\troy\locals~1\applic~1\Sunbelt Software
2010-10-18 17:38:24 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-10-18 17:38:11 -------- d-----w- c:\program files\Lavasoft
2010-10-18 17:03:31 -------- d-----w- c:\program files\CCleaner
2010-10-18 14:21:06 74624 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-10-18 14:21:05 -------- d-----w- c:\program files\Prevx
2010-10-18 14:20:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-10-18 13:53:02 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-18 13:53:02 -------- d-----w- c:\documents and settings\troy\log
2010-10-14 19:24:29 -------- d-sha-r- C:\cmdcons
2010-10-14 18:28:10 -------- d-----w- c:\docume~1\troy\applic~1\Malwarebytes
2010-10-14 18:28:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-14 18:28:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-14 18:28:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-14 18:28:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-13 17:44:03 -------- d-----w- c:\docume~1\troy\applic~1\Roxio Log Files
2010-10-11 15:46:19 0 ----a-w- c:\windows\Xsutuxerux.bin
2010-10-05 21:18:40 221184 ------w- c:\windows\system32\wmpns.dll
2010-09-23 12:28:03 44544 ------w- c:\windows\system32\MSXML4a.dll
2010-09-23 12:21:55 -------- d-----w- c:\program files\common files\Sage
2010-09-23 11:42:03 -------- d-----w- c:\docume~1\troy\locals~1\applic~1\ESET
2010-09-23 11:41:13 -------- d-----w- c:\program files\ESET
2010-09-22 17:34:26 -------- d-----w- c:\docume~1\troy\applic~1\deskPDF
2010-09-22 17:33:30 20886 ------w- c:\windows\system32\ddmon.dll
2010-09-21 13:52:49 -------- d-----w- c:\windows\SchCache
2010-09-21 13:39:31 246552 ----a-w- c:\windows\User Profile Migration Service.exe
2010-09-21 12:55:23 -------- d-----w- c:\windows\system32\NtmsData
2010-09-20 18:45:43 -------- d-----w- c:\docume~1\troy\applic~1\FreeFileSync
2010-09-20 18:45:16 -------- d-----w- c:\program files\FreeFileSync

==================== Find3M ====================

2010-08-17 13:17:06 58880 ------w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ------w- c:\windows\system32\xpsp4res.dll

============= FINISH: 12:48:46.09 ===============
chad5411
2010-10-19, 19:53
I might add that this is my bosses personal laptop that he uses on the company network.
tashi
2010-10-19, 20:27
Hello chad5411,


In particular, Personal computers or..... (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

As this forum is set up for volunteers to assist users with their personal home computers, this topic is closed.

Best regards.