enosuomynona
2011-07-03, 01:11
My computer got infected with some kind of malware this morning that is preventing all my Anti-Virus software from running. I keep getting the message "Windows cannot access the specified device, path, or file. You may not have appropriate permission to access the item."
The malware is also turning each Anti-Virus software's EXE files into hidden write protected files. I tried to go to uncheck the "Read-Only" box in properties and it keeps revert back to "Read-Only", and can't not be uninstalled or deleted.
I also tried to run ComboFix and it seems to get stuck at the screen says "Scanning for infected files.... ", after two hours of waiting there was no further activity.
Below is the DDS File.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by wke914 at 19:05:50 on 2011-07-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2996.2160 [GMT -4:00]
.
AV: Cisco Security Agent *Disabled/Updated* {AA4D2B20-3969-4AF5-9386-C569FC5AA460}
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Cisco Security Agent *Enabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\Program Files\Cisco\CSAgent\bin\dcgate.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Cisco\Cisco Secure Services Client\Cisco_SSCservice.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\WINDOWS\system32\enproc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Audit Manager\AuditManagerService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Cisco\Cisco Secure Services Client\Cisco_SSCgui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\McAfee\Policy Auditor Agent\PASysTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Cisco\CSAgent\bin\okclient.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\ERUNT\ERUNT.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = Https://square.aexp.com
uDefault_Page_URL = Https://square.aexp.com
mDefault_Page_URL = Https://square.aexp.com
uInternet Settings,ProxyServer = proxy-phoenix.aexp.com:8080
uInternet Settings,ProxyOverride = *.aexp.com;*.amex-trs.com;*.amexweb.com;*.slcaexp.com;148.17*;phx*;obt*;intek*;quotes*;10.*;*fa.aexp.com;itrade*;IEWF*;139.71.*;ps.webhrlink.com;*amexweb.btci.com;*mgd.msft.net;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [OfficeAuth] "c:\program files\microsoft office\gettingstarted\SetAuthorInfo.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CiscoCSSCgui] "c:\program files\cisco\cisco secure services client\Cisco_SSCgui.exe"
mRun: [<NO NAME>]
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [McAfee Policy Auditor Tray Icon] "c:\program files\mcafee\policy auditor agent\PASysTray.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
dRun: [OfficeAuth] "c:\program files\microsoft office\gettingstarted\SetAuthorInfo.exe"
StartupFolder: c:\docume~1\wke914\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco\csagent\bin\okclient.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{b560691d-502c-4441-b639-44e9ad7a6996}\Icon6560581611.exe
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\PGPlsp.dll
LSP: bmnet.dll
Trusted Zone: myaxplearning.com
Trusted Zone: omniroot.com\secure
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 207.69.188.187 207.69.188.185 207.69.188.186
TCP: Interfaces\{867B2D4A-4E91-42C3-9628-0B99EDFD64C4} : DhcpNameServer = 172.16.64.215 172.16.64.215
TCP: Interfaces\{E5DC129D-C11E-4FA3-B7A8-78847970C922} : DhcpNameServer = 207.69.188.187 207.69.188.185 207.69.188.186
Handler: x-owacid2 - {5B290518-830E-4C57-A66B-E4F748900C27} - c:\program files\microsoft\smime client (2010)\mimectl.dll
Notify: csscsso - csscsso.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli PGPpwflt
mASetup: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - rundll32.exe advpack.dll,LaunchINFSection c:\\windows\\inf\\wmp.inf,PerUserStub
mASetup: InternetExplorer_700^100 - "c:\program files\internet explorer\IE7Settings.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wke914\application data\mozilla\firefox\profiles\tplprcdf.default\
FF - prefs.js: browser.startup.homepage - hxxps://webmail.earthlink.net/wam/login.jsp?redirect=%2Fwam%2Findex.jsp&x=-436626317&x=756804073
FF - prefs.js: network.proxy.ftp - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 csacenter;Cisco Security Agent Rule Engine;c:\windows\system32\drivers\csacentr.sys [2011-5-26 372352]
R0 csafile;Cisco Security Agent File Access Controller;c:\windows\system32\drivers\csafile.sys [2011-5-26 137856]
R0 csanet;Cisco Security Agent Packet Verifier;c:\windows\system32\drivers\csanet.sys [2011-5-26 311552]
R0 csareg;Cisco Security Agent Registry Access Controller;c:\windows\system32\drivers\csareg.sys [2011-5-26 52864]
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-5-26 24304]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-1 344712]
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2009-10-9 136312]
R1 csatdi;Cisco Security Agent Network Access Controller;c:\windows\system32\drivers\csatdi.sys [2011-5-26 463232]
R1 enproc_;enproc_;c:\windows\system32\enproc_.sys [2011-5-26 77760]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-5-26 13480]
R2 Cisco Secure Services Client;Cisco Secure Services Client;c:\program files\cisco\cisco secure services client\Cisco_SSCservice.exe [2008-5-9 1232896]
R2 CSAgent;Cisco Security Agent;c:\program files\cisco\csagent\bin\csacontrol.exe [2011-5-26 348160]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-5-26 132456]
R2 enproc;enproc;c:\windows\system32\enproc.exe [2011-5-26 937984]
R2 McAfeeAuditManager;McAfee Audit Manager Service;c:\program files\mcafee\audit manager\AuditManagerService.exe [2010-8-11 200704]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-3-28 132416]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-8-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-9-1 69192]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2010-3-17 240816]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2011-5-26 53248]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2011-5-26 63928]
R3 CiscoSSD;Cisco Secure Services Miniport Driver;c:\windows\system32\drivers\css_drv.sys [2011-5-26 42240]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-9-1 167080]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-9-1 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-5-27 132480]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-5-27 235520]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2010-3-17 27208]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2010-3-17 79944]
S2 EDPA;EDPA;c:\program files\manufacturer\endpoint agent\edpa.exe [2011-1-25 241336]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-8-25 22816]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-8-25 147984]
S2 WDP;WDP;c:\program files\manufacturer\endpoint agent\wdp.exe [2011-1-25 211640]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2010-7-15 121416]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2009-7-16 67840]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2009-7-16 107776]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2009-7-16 8064]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-1 91896]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-1 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-1 66536]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2010-3-17 22600]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2010-3-17 25160]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2010-9-1 14336]
S3 SFsCtrx;SFsCtrx;c:\windows\system32\drivers\SFsCtrx.sys [2011-6-29 47800]
S3 tdifd105;tdifd105;c:\windows\system32\drivers\tdifd105.sys [2011-6-29 45624]
S3 vfsmfd;vfsmfd;c:\windows\system32\drivers\vfsmfd.sys [2011-6-29 47672]
S3 vrtam;vrtam;c:\windows\system32\drivers\vrtam.sys [2011-6-29 19256]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-9-1 14336]
S4 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-5-26 45496]
.
=============== Created Last 30 ================
.
2011-07-02 21:42:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-02 21:05:03 -------- d--h--w- c:\windows\PIF
2011-07-02 17:52:09 -------- d-s---w- C:\ComboFix
2011-07-02 16:09:33 -------- d-sha-r- C:\cmdcons
2011-07-02 16:06:21 98816 ----a-w- c:\windows\sed.exe
2011-07-02 16:06:21 518144 ----a-w- c:\windows\SWREG.exe
2011-07-02 16:06:21 256000 ----a-w- c:\windows\PEV.exe
2011-07-02 16:06:21 208896 ----a-w- c:\windows\MBR.exe
2011-07-02 13:53:33 25984 ----a-w- c:\windows\system32\drivers\1306475805.sys
2011-07-01 14:23:38 77824 ----a-w- c:\windows\system32\enprocepo.dll
2011-06-30 12:33:39 -------- d-----w- c:\windows\ms
2011-06-29 12:07:00 47800 ----a-w- c:\windows\system32\drivers\SFsCtrx.sys
2011-06-29 12:06:59 45624 ----a-w- c:\windows\system32\drivers\tdifd105.sys
2011-06-29 12:06:57 19256 ----a-w- c:\windows\system32\drivers\vrtam.sys
2011-06-29 12:06:49 47672 ----a-w- c:\windows\system32\drivers\vfsmfd.sys
2011-06-29 12:06:10 -------- d-----w- c:\program files\Manufacturer
2011-06-27 12:30:50 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 17:30:21 -------- d-----w- c:\documents and settings\wke914\application data\Aventail
2011-06-16 17:24:57 -------- d-----w- c:\documents and settings\wke914\application data\AT&T
2011-06-16 17:24:35 40408 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2011-06-16 17:24:35 -------- d-----w- c:\documents and settings\wke914\application data\Sierra Wireless
2011-06-16 17:23:53 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-06-16 17:23:48 23680 ----a-w- c:\windows\system32\drivers\motmodem.sys
2011-06-16 17:23:48 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2011-06-16 17:23:37 -------- d-----w- c:\program files\common files\Motorola Shared
2011-06-16 17:22:54 -------- d-----w- c:\program files\common files\Research In Motion
2011-06-16 17:22:54 -------- d-----w- c:\documents and settings\all users\application data\LG
2011-06-16 17:22:51 -------- d-----w- c:\program files\Sierra Wireless Inc
2011-06-16 17:22:51 -------- d-----w- c:\program files\AT&T
2011-06-16 17:22:51 -------- d-----w- c:\documents and settings\all users\application data\AT&T
2011-06-16 05:38:22 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-16 05:37:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-15 15:01:42 -------- d-----w- c:\program files\GuidanceSoftware
2011-06-13 19:38:48 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-06-13 19:38:48 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-06-13 19:37:49 -------- d-----w- c:\program files\iPod
2011-06-13 19:37:45 -------- d-----w- c:\program files\iTunes
2011-06-13 19:37:45 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-06-13 19:37:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-06-13 19:37:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-06-13 19:37:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-06-13 19:36:26 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Apple
2011-06-13 19:36:12 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-06-13 19:36:12 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-06-13 19:35:47 -------- d-----w- c:\program files\Bonjour
2011-06-13 19:35:06 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Apple Computer
2011-06-13 16:33:06 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Mozilla
2011-06-13 15:25:51 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-06-13 15:25:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-13 15:25:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-06-13 15:25:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-06-13 15:25:07 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-06-13 15:25:07 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-06-13 15:25:03 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-06-13 15:25:03 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-06-13 15:25:01 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-06-13 15:25:01 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-06-13 14:27:25 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-06-13 14:20:36 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Adobe
2011-06-13 14:02:26 -------- d-----w- c:\documents and settings\wke914\HODObjs
2011-06-13 14:02:25 -------- d-----w- c:\documents and settings\wke914\HODData
2011-06-13 14:02:21 -------- d-----w- c:\documents and settings\wke914\HODCCsnaipc-hod.ipc.us.aexp.com
2011-06-13 13:59:35 -------- d-----w- c:\documents and settings\wke914\HODCC
2011-06-13 13:00:37 -------- d-----w- c:\documents and settings\wke914\local settings\application data\assembly
2011-06-13 12:58:01 -------- d-----w- c:\program files\TMSSequoia
2011-06-13 12:56:35 -------- d-----w- c:\program files\Citrix
2011-06-13 12:55:57 -------- d-----w- c:\program files\Installed Applications
2011-06-13 12:55:31 65536 ------w- c:\windows\system32\SKUSBKBD.DLL
2011-06-13 12:55:31 6397952 ------w- c:\windows\system32\PKCFG.EXE
2011-06-13 12:55:31 61440 ------w- c:\windows\system32\SKOSD.DLL
2011-06-13 12:55:31 61440 ------w- c:\windows\system32\SKHOOKS.DLL
2011-06-13 12:55:31 53248 ------w- c:\windows\system32\PKCPL.CPL
2011-06-13 12:55:31 49152 ------w- c:\windows\system32\SKSETUP.DLL
2011-06-13 12:55:31 40960 ------w- c:\windows\system32\SKDAEMON.EXE
2011-06-13 12:55:31 155648 ------w- c:\windows\system32\SKUNINST.EXE
2011-06-13 12:55:31 131072 ------w- c:\windows\system32\SKUTIL.DLL
2011-06-13 12:54:04 -------- d-----w- c:\program files\common files\SureThing Shared
2011-06-13 12:53:21 -------- d-----w- c:\program files\Sonic
2011-06-11 07:37:13 -------- d-----w- c:\windows\system32\Adobe
2011-06-11 07:33:12 -------- d-----w- c:\program files\American Express
2011-06-11 07:26:18 -------- d-----w- c:\windows\ServicePackFiles
2011-06-10 21:13:06 -------- d-----w- c:\program files\Microsoft
2011-06-10 20:36:22 -------- d-----w- c:\windows\Downloaded Installations
2011-06-10 20:28:12 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Lotus
2011-06-10 20:20:21 -------- d-----w- c:\documents and settings\wke914\local settings\application data\PGP Corporation
2011-06-10 20:20:20 -------- d-----w- c:\documents and settings\wke914\tracing
2011-06-10 20:20:09 -------- d-----w- c:\documents and settings\wke914\application data\McAfee
2011-06-10 20:20:09 -------- d-----w- c:\documents and settings\wke914\application data\Lenovo
2011-06-10 20:18:47 -------- d-----w- c:\documents and settings\wke914\application data\PGP Corporation
.
==================== Find3M ====================
.
2011-07-01 14:23:38 937984 ----a-w- c:\windows\system32\enproc_.exe
2011-07-01 14:23:37 77760 ----a-w- c:\windows\system32\enproc_.sys
2011-07-01 14:23:36 937984 ----a-w- c:\windows\system32\enproc.exe
2011-05-26 13:30:41 78440 ----a-w- c:\windows\system32\PGPlspRollback.reg
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 19:06:20.57 ===============
Thanks.
The malware is also turning each Anti-Virus software's EXE files into hidden write protected files. I tried to go to uncheck the "Read-Only" box in properties and it keeps revert back to "Read-Only", and can't not be uninstalled or deleted.
I also tried to run ComboFix and it seems to get stuck at the screen says "Scanning for infected files.... ", after two hours of waiting there was no further activity.
Below is the DDS File.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by wke914 at 19:05:50 on 2011-07-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2996.2160 [GMT -4:00]
.
AV: Cisco Security Agent *Disabled/Updated* {AA4D2B20-3969-4AF5-9386-C569FC5AA460}
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Cisco Security Agent *Enabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\Program Files\Cisco\CSAgent\bin\dcgate.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Cisco\Cisco Secure Services Client\Cisco_SSCservice.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\WINDOWS\system32\enproc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Audit Manager\AuditManagerService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Cisco\Cisco Secure Services Client\Cisco_SSCgui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\McAfee\Policy Auditor Agent\PASysTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Cisco\CSAgent\bin\okclient.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\ERUNT\ERUNT.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = Https://square.aexp.com
uDefault_Page_URL = Https://square.aexp.com
mDefault_Page_URL = Https://square.aexp.com
uInternet Settings,ProxyServer = proxy-phoenix.aexp.com:8080
uInternet Settings,ProxyOverride = *.aexp.com;*.amex-trs.com;*.amexweb.com;*.slcaexp.com;148.17*;phx*;obt*;intek*;quotes*;10.*;*fa.aexp.com;itrade*;IEWF*;139.71.*;ps.webhrlink.com;*amexweb.btci.com;*mgd.msft.net;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [OfficeAuth] "c:\program files\microsoft office\gettingstarted\SetAuthorInfo.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CiscoCSSCgui] "c:\program files\cisco\cisco secure services client\Cisco_SSCgui.exe"
mRun: [<NO NAME>]
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Hot Key Kbd Daemon] SKDAEMON.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [McAfee Policy Auditor Tray Icon] "c:\program files\mcafee\policy auditor agent\PASysTray.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
dRun: [OfficeAuth] "c:\program files\microsoft office\gettingstarted\SetAuthorInfo.exe"
StartupFolder: c:\docume~1\wke914\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco\csagent\bin\okclient.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{b560691d-502c-4441-b639-44e9ad7a6996}\Icon6560581611.exe
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\PGPlsp.dll
LSP: bmnet.dll
Trusted Zone: myaxplearning.com
Trusted Zone: omniroot.com\secure
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 207.69.188.187 207.69.188.185 207.69.188.186
TCP: Interfaces\{867B2D4A-4E91-42C3-9628-0B99EDFD64C4} : DhcpNameServer = 172.16.64.215 172.16.64.215
TCP: Interfaces\{E5DC129D-C11E-4FA3-B7A8-78847970C922} : DhcpNameServer = 207.69.188.187 207.69.188.185 207.69.188.186
Handler: x-owacid2 - {5B290518-830E-4C57-A66B-E4F748900C27} - c:\program files\microsoft\smime client (2010)\mimectl.dll
Notify: csscsso - csscsso.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli PGPpwflt
mASetup: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - rundll32.exe advpack.dll,LaunchINFSection c:\\windows\\inf\\wmp.inf,PerUserStub
mASetup: InternetExplorer_700^100 - "c:\program files\internet explorer\IE7Settings.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wke914\application data\mozilla\firefox\profiles\tplprcdf.default\
FF - prefs.js: browser.startup.homepage - hxxps://webmail.earthlink.net/wam/login.jsp?redirect=%2Fwam%2Findex.jsp&x=-436626317&x=756804073
FF - prefs.js: network.proxy.ftp - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy-phoenix.aexp.com
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 csacenter;Cisco Security Agent Rule Engine;c:\windows\system32\drivers\csacentr.sys [2011-5-26 372352]
R0 csafile;Cisco Security Agent File Access Controller;c:\windows\system32\drivers\csafile.sys [2011-5-26 137856]
R0 csanet;Cisco Security Agent Packet Verifier;c:\windows\system32\drivers\csanet.sys [2011-5-26 311552]
R0 csareg;Cisco Security Agent Registry Access Controller;c:\windows\system32\drivers\csareg.sys [2011-5-26 52864]
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-5-26 24304]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-1 344712]
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2009-10-9 136312]
R1 csatdi;Cisco Security Agent Network Access Controller;c:\windows\system32\drivers\csatdi.sys [2011-5-26 463232]
R1 enproc_;enproc_;c:\windows\system32\enproc_.sys [2011-5-26 77760]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-5-26 13480]
R2 Cisco Secure Services Client;Cisco Secure Services Client;c:\program files\cisco\cisco secure services client\Cisco_SSCservice.exe [2008-5-9 1232896]
R2 CSAgent;Cisco Security Agent;c:\program files\cisco\csagent\bin\csacontrol.exe [2011-5-26 348160]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-5-26 132456]
R2 enproc;enproc;c:\windows\system32\enproc.exe [2011-5-26 937984]
R2 McAfeeAuditManager;McAfee Audit Manager Service;c:\program files\mcafee\audit manager\AuditManagerService.exe [2010-8-11 200704]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-3-28 132416]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-8-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-9-1 69192]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2010-3-17 240816]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2011-5-26 53248]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2011-5-26 63928]
R3 CiscoSSD;Cisco Secure Services Miniport Driver;c:\windows\system32\drivers\css_drv.sys [2011-5-26 42240]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-9-1 167080]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-9-1 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-5-27 132480]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-5-27 235520]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2010-3-17 27208]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2010-3-17 79944]
S2 EDPA;EDPA;c:\program files\manufacturer\endpoint agent\edpa.exe [2011-1-25 241336]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-8-25 22816]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-8-25 147984]
S2 WDP;WDP;c:\program files\manufacturer\endpoint agent\wdp.exe [2011-1-25 211640]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2010-7-15 121416]
S3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2009-7-16 67840]
S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2009-7-16 107776]
S3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2009-7-16 8064]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-1 91896]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-1 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-1 66536]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2010-3-17 22600]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2010-3-17 25160]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2010-9-1 14336]
S3 SFsCtrx;SFsCtrx;c:\windows\system32\drivers\SFsCtrx.sys [2011-6-29 47800]
S3 tdifd105;tdifd105;c:\windows\system32\drivers\tdifd105.sys [2011-6-29 45624]
S3 vfsmfd;vfsmfd;c:\windows\system32\drivers\vfsmfd.sys [2011-6-29 47672]
S3 vrtam;vrtam;c:\windows\system32\drivers\vrtam.sys [2011-6-29 19256]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-9-1 14336]
S4 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-5-26 45496]
.
=============== Created Last 30 ================
.
2011-07-02 21:42:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-02 21:05:03 -------- d--h--w- c:\windows\PIF
2011-07-02 17:52:09 -------- d-s---w- C:\ComboFix
2011-07-02 16:09:33 -------- d-sha-r- C:\cmdcons
2011-07-02 16:06:21 98816 ----a-w- c:\windows\sed.exe
2011-07-02 16:06:21 518144 ----a-w- c:\windows\SWREG.exe
2011-07-02 16:06:21 256000 ----a-w- c:\windows\PEV.exe
2011-07-02 16:06:21 208896 ----a-w- c:\windows\MBR.exe
2011-07-02 13:53:33 25984 ----a-w- c:\windows\system32\drivers\1306475805.sys
2011-07-01 14:23:38 77824 ----a-w- c:\windows\system32\enprocepo.dll
2011-06-30 12:33:39 -------- d-----w- c:\windows\ms
2011-06-29 12:07:00 47800 ----a-w- c:\windows\system32\drivers\SFsCtrx.sys
2011-06-29 12:06:59 45624 ----a-w- c:\windows\system32\drivers\tdifd105.sys
2011-06-29 12:06:57 19256 ----a-w- c:\windows\system32\drivers\vrtam.sys
2011-06-29 12:06:49 47672 ----a-w- c:\windows\system32\drivers\vfsmfd.sys
2011-06-29 12:06:10 -------- d-----w- c:\program files\Manufacturer
2011-06-27 12:30:50 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 17:30:21 -------- d-----w- c:\documents and settings\wke914\application data\Aventail
2011-06-16 17:24:57 -------- d-----w- c:\documents and settings\wke914\application data\AT&T
2011-06-16 17:24:35 40408 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2011-06-16 17:24:35 -------- d-----w- c:\documents and settings\wke914\application data\Sierra Wireless
2011-06-16 17:23:53 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-06-16 17:23:48 23680 ----a-w- c:\windows\system32\drivers\motmodem.sys
2011-06-16 17:23:48 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2011-06-16 17:23:37 -------- d-----w- c:\program files\common files\Motorola Shared
2011-06-16 17:22:54 -------- d-----w- c:\program files\common files\Research In Motion
2011-06-16 17:22:54 -------- d-----w- c:\documents and settings\all users\application data\LG
2011-06-16 17:22:51 -------- d-----w- c:\program files\Sierra Wireless Inc
2011-06-16 17:22:51 -------- d-----w- c:\program files\AT&T
2011-06-16 17:22:51 -------- d-----w- c:\documents and settings\all users\application data\AT&T
2011-06-16 05:38:22 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-16 05:37:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-15 15:01:42 -------- d-----w- c:\program files\GuidanceSoftware
2011-06-13 19:38:48 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-06-13 19:38:48 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-06-13 19:37:49 -------- d-----w- c:\program files\iPod
2011-06-13 19:37:45 -------- d-----w- c:\program files\iTunes
2011-06-13 19:37:45 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-06-13 19:37:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-06-13 19:37:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-06-13 19:37:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-06-13 19:37:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-06-13 19:36:26 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Apple
2011-06-13 19:36:12 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-06-13 19:36:12 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-06-13 19:35:47 -------- d-----w- c:\program files\Bonjour
2011-06-13 19:35:06 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Apple Computer
2011-06-13 16:33:06 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Mozilla
2011-06-13 15:25:51 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-06-13 15:25:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-13 15:25:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-06-13 15:25:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-06-13 15:25:07 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-06-13 15:25:07 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-06-13 15:25:03 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-06-13 15:25:03 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-06-13 15:25:01 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-06-13 15:25:01 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-06-13 14:27:25 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-06-13 14:20:36 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Adobe
2011-06-13 14:02:26 -------- d-----w- c:\documents and settings\wke914\HODObjs
2011-06-13 14:02:25 -------- d-----w- c:\documents and settings\wke914\HODData
2011-06-13 14:02:21 -------- d-----w- c:\documents and settings\wke914\HODCCsnaipc-hod.ipc.us.aexp.com
2011-06-13 13:59:35 -------- d-----w- c:\documents and settings\wke914\HODCC
2011-06-13 13:00:37 -------- d-----w- c:\documents and settings\wke914\local settings\application data\assembly
2011-06-13 12:58:01 -------- d-----w- c:\program files\TMSSequoia
2011-06-13 12:56:35 -------- d-----w- c:\program files\Citrix
2011-06-13 12:55:57 -------- d-----w- c:\program files\Installed Applications
2011-06-13 12:55:31 65536 ------w- c:\windows\system32\SKUSBKBD.DLL
2011-06-13 12:55:31 6397952 ------w- c:\windows\system32\PKCFG.EXE
2011-06-13 12:55:31 61440 ------w- c:\windows\system32\SKOSD.DLL
2011-06-13 12:55:31 61440 ------w- c:\windows\system32\SKHOOKS.DLL
2011-06-13 12:55:31 53248 ------w- c:\windows\system32\PKCPL.CPL
2011-06-13 12:55:31 49152 ------w- c:\windows\system32\SKSETUP.DLL
2011-06-13 12:55:31 40960 ------w- c:\windows\system32\SKDAEMON.EXE
2011-06-13 12:55:31 155648 ------w- c:\windows\system32\SKUNINST.EXE
2011-06-13 12:55:31 131072 ------w- c:\windows\system32\SKUTIL.DLL
2011-06-13 12:54:04 -------- d-----w- c:\program files\common files\SureThing Shared
2011-06-13 12:53:21 -------- d-----w- c:\program files\Sonic
2011-06-11 07:37:13 -------- d-----w- c:\windows\system32\Adobe
2011-06-11 07:33:12 -------- d-----w- c:\program files\American Express
2011-06-11 07:26:18 -------- d-----w- c:\windows\ServicePackFiles
2011-06-10 21:13:06 -------- d-----w- c:\program files\Microsoft
2011-06-10 20:36:22 -------- d-----w- c:\windows\Downloaded Installations
2011-06-10 20:28:12 -------- d-----w- c:\documents and settings\wke914\local settings\application data\Lotus
2011-06-10 20:20:21 -------- d-----w- c:\documents and settings\wke914\local settings\application data\PGP Corporation
2011-06-10 20:20:20 -------- d-----w- c:\documents and settings\wke914\tracing
2011-06-10 20:20:09 -------- d-----w- c:\documents and settings\wke914\application data\McAfee
2011-06-10 20:20:09 -------- d-----w- c:\documents and settings\wke914\application data\Lenovo
2011-06-10 20:18:47 -------- d-----w- c:\documents and settings\wke914\application data\PGP Corporation
.
==================== Find3M ====================
.
2011-07-01 14:23:38 937984 ----a-w- c:\windows\system32\enproc_.exe
2011-07-01 14:23:37 77760 ----a-w- c:\windows\system32\enproc_.sys
2011-07-01 14:23:36 937984 ----a-w- c:\windows\system32\enproc.exe
2011-05-26 13:30:41 78440 ----a-w- c:\windows\system32\PGPlspRollback.reg
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 19:06:20.57 ===============
Thanks.