Google results redirected to advertising site

Hewlett-packard Elitebook 8730w mobile w...
March 6, 2010 at 12:53:55
Specs: windows xp
Recently one of my computers has started to show
signs of malware. When I perform a google search
and then click on one of the results it will redirect to
another page. I have tried running mcaffee, microsoft
malware tool, and also malwarebytes and have not
had any success. Some infected files were found and
supposedly deleted but the problem persists.

See More: Google results redirected to advertising site

Report •

#1
March 6, 2010 at 13:20:50
Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop then post them please.



Report •

#2
March 6, 2010 at 16:59:01
I am having the same issue ad am interested in seeing what the fix might be.

Report •

#3
March 6, 2010 at 17:00:56

DDS (Ver_09-12-01.01) - NTFSx86
Run by wap04368 at 19:57:19.62 on Sat 03/06/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1976.1412 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: ISS Proventia 9.0.226.2212 *On-access scanning enabled* (Outdated) {B7252927-A948-4572-B610-4BD0952B2F93}
FW: ISS Proventia 9.0.226.2084 *enabled* {54260755-E399-4C76-B04C-9E6DD83D72FC}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\eSupport\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\eSupport\bin\tgsrvc.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\i386\Software\WinZip\9.1\DSS\WZQKPICK.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXRunControl.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\wap04368\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://localagency.dss.state.va.us/
mDefault_Page_URL = hxxp://www.state.va.us/cmsportal2
mStart Page = hxxp://spark.dss.virginia.gov
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [eSupport] "c:\program files\esupport\bin\sprtcmd.exe" /P eSupport
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\windows\i386\software\winzip\9.1\dss\WZQKPICK.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoPublishingWizard = 1 (0x1)
uPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: projcena
Trusted Zone: state.va.us\surya2.dss
Trusted Zone: state.va.us\surya4.dss
Trusted Zone: projcena
Trusted Zone: state.va.us\surya2.dss
Trusted Zone: state.va.us\surya4.dss
DPF: {15B782AF-55D8-11D1-B477-006097098764}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: AMINIT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4
mASetup: FlashPlayer10.0.32.18 - msiexec /fpu {B7B3E9B3-FB14-4927-894B-E9124509AF5A}
mASetup: Quicktime7.6.4 - msiexec /fpu {A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
mASetup: RealPlayer11.0.6 - msiexec /fpu {99A23D83-E612-4F37-872D-7F5C88538C65}
mASetup: StandbyPowerConfig - c:\windows\i386\software\scripts\StandbySet.EXE
Hosts: 10.192.32.76 COVSMICES-ANS01 COVSMICES-ANS01.vita.virginia.gov COVSMICES-ANS01.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.77 COVSMICES-ANS03 COVSMICES-ANS03.vita.virginia.gov COVSMICES-ANS03.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.78 COVSMICES-ANS04 COVSMICES-ANS04.vita.virginia.gov COVSMICES-ANS04.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.79 COVSMICES-ANS05 COVSMICES-ANS05.vita.virginia.gov COVSMICES-ANS05.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.80 COVSMICES-ANS06 COVSMICES-ANS06.vita.virginia.gov COVSMICES-ANS06.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [2009-7-20 35270]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-3-7 9216]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R2 BlackICE;BlackICE;c:\program files\iss\proventia desktop\blackd.exe [2009-12-22 2093322]
R2 HPM1319RcvFaxSrvc;HP M1319 Receive Fax Service;c:\program files\hp\hp laserjet m1319 mfp series\ReceiveFaxUtility.exe [2008-3-27 348160]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-1-27 54608]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2009-4-22 1221928]
R2 sprtsvc_esupport;SupportSoft Sprocket Service (esupport);c:\program files\esupport\bin\sprtsvc.exe [2009-4-22 202016]
R2 tgsrvc_esupport;SupportSoft Repair Service (esupport);c:\program files\esupport\bin\tgsrvc.exe [2009-4-22 148768]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\proventia desktop\vpatch.exe [2009-12-22 405770]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-6-12 477696]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-12-22 228408]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-11-17 238736]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 MakoNT;MakoNT;c:\windows\system32\drivers\isskboep.sys [2009-12-22 80512]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-11-17 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-11-17 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-11-17 177864]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2009-12-22 50163]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2006-12-19 47616]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [2009-12-22 205938]
S3 HP1319EWS;HP1319EWS;c:\windows\system32\drivers\HP1319EWS.sys [2010-1-13 12800]
S3 HP1319FAX;HP1319MFP FAX;c:\windows\system32\drivers\HP1319FAX.sys [2010-1-13 13824]
S3 OracleOracleClientCache;OracleOracleClientCache;c:\oracle8i\bin\onrsd.exe --> c:\oracle8i\bin\ONRSD.EXE [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-03-06 21:36:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-06 21:36:12 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-06 20:46:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-06 20:46:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 20:46:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 22:14:14 0 d-----w- c:\docume~1\wap04368\applic~1\Malwarebytes
2010-03-05 22:14:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-05 04:33:03 0 d-----w- C:\5ceb26e25d65c8ee1696f901a1
2010-03-05 03:24:35 0 d-----w- c:\windows\system32\appmgmt
2010-03-04 01:49:53 0 d-----w- c:\docume~1\wap04368\applic~1\C1E4D68BB15AE0C1A2EF3E7005EBF819
2010-02-17 14:48:25 0 ----a-w- c:\windows\marker-inventory.tmp
2010-02-17 14:48:14 32256 ----a-w- c:\windows\system32\ntrights.exe
2010-02-08 17:00:15 756 ----a-w- C:\DSS_VPN.pcf

==================== Find3M ====================

2010-03-06 21:43:44 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-13 16:53:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HP1319EWS_01005.Wdf
2010-01-13 16:52:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HP1319FAX_01005.Wdf
2009-12-23 00:53:59 41 ----a-w- C:\AClient.dat
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:58:16.96 ===============


Here is the Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/22/2009 7:46:17 PM
System Uptime: 3/6/2010 7:51:40 PM (0 hours ago)

Motherboard: Hewlett-Packard | | 30DB
Processor: Intel Pentium III Xeon processor | Intel(R) Genuine processor | 2261/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 98.72 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) WiFi Link 5300 AGN
Device ID: PCI\VEN_8086&DEV_4236&SUBSYS_10118086&REV_00\4&318470AD&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) WiFi Link 5300 AGN
PNP Device ID: PCI\VEN_8086&DEV_4236&SUBSYS_10118086&REV_00\4&318470AD&0&00E1
Service: NETw5x32

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\1122334455667788
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\1122334455667788
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

No restore point in system.

==== Hosts File Hijack ======================

Hosts: 10.192.32.76 COVSMICES-ANS01 COVSMICES-ANS01.vita.virginia.gov COVSMICES-ANS01.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.77 COVSMICES-ANS03 COVSMICES-ANS03.vita.virginia.gov COVSMICES-ANS03.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.78 COVSMICES-ANS04 COVSMICES-ANS04.vita.virginia.gov COVSMICES-ANS04.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.79 COVSMICES-ANS05 COVSMICES-ANS05.vita.virginia.gov COVSMICES-ANS05.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.80 COVSMICES-ANS06 COVSMICES-ANS06.vita.virginia.gov COVSMICES-ANS06.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***
Hosts: 10.192.32.45 COVSMICES-ANS07 COVSMICES-ANS07.vita.virginia.gov COVSMICES-ANS07.cov.virginia.gov # Altiris NS ***DO NOT REMOVE OR MODIFY***

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 9.2
Adobe Shockwave Player
Agere Systems HDA Modem
Altiris Agent VITA Partnership - DSS
Altiris Application Metering Agent
Altiris Carbon Copy Solution Agent
Altiris Carbon Copy Solution Agent 6.2
Altiris Software Delivery Solution Agent
Apple Application Support
Attachmate EXTRA! X-treme 8
Attachmate INFOConnect Enterprise Edition
Authorware Player
CaseFinder
Cisco Systems VPN Client 5.0.01.0600
Compatibility Pack for the 2007 Office system
eSupport
FaxSendInstaller
FaxSetupInstaller
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959252-v2)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP LaserJet M1319 MFP Series
HP LaserJet M1319 MFP Series Toolbox
HP LaserJet Toolbox
HP Quick Launch Buttons
ImgX
Internet Security Systems' Proventia Desktop
InterVideo DVD Check
InterVideo WinDVD
J Initiator 1.3.1.22
Java(TM) 6 Update 7
LIM DOLPHIN
Malwarebytes' Anti-Malware
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
OASIS 2000
Project Web Access Controls
QLBCASL
QuickTime
Readiris Pro 11
RealPlayer
ReceiveInstaller
Roxio Audio Module
Roxio Copy Module
Roxio Data Module
Roxio DLA
Roxio Express Labeler
Roxio MyDVD Plus
Scan To
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Security Zones- DSS
Time Zone Data Update Tool for Microsoft Office Outlook
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Virginia IT Infrastructure Partnership Orientation Guides
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Enterprise Deployment
Windows Messenger 5.1
WinZip

==== Event Viewer Messages From Past Week ========

3/6/2010 9:37:39 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
3/5/2010 5:50:28 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
3/5/2010 3:33:34 PM, error: Service Control Manager [7022] - The McAfee Framework Service service hung on starting.
3/5/2010 10:08:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 ultra ViaIde
3/5/2010 10:07:22 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/5/2010 10:07:22 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/1/2010 6:27:56 PM, error: PlugPlayManager [12] - The device 'Communications Port (COM1)' (ACPI\PNP0501\5&230c8cd&0) disappeared from the system without first being prepared for removal.
3/1/2010 6:27:55 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
2/28/2010 1:55:38 PM, error: Dhcp [1002] - The IP address lease 192.168.1.122 for the Network Card with network address 00216A4E6034 has been denied by the DHCP server 10.0.1.1 (The DHCP Server sent a DHCPNACK message).
2/27/2010 9:38:27 AM, error: NETLOGON [5719] - No Domain Controller is available for domain COV due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================


Thanks for your help.


Report •

Related Solutions

#4
March 6, 2010 at 18:11:03
Remember..your McAfee antivirus must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#5
March 6, 2010 at 18:54:12
when I attempted to run combofix it informed me that ISS
Proventia was active. I can not locate a program on my
computer called Proventia. Do you know how I can locate this
scanner?

Report •

#6
March 6, 2010 at 21:08:36
Go ahead and run Combofix, as you seem to be running from a workstation it may not actually be on the computer but a network.

Report •

#7
March 6, 2010 at 21:42:04
This problem occours when your pc is infected by a browser hijacker.You should run UnHack-Me tool to fix this problem.or follow the manual fix instructions from this tutorial
http://darfuns.com/remove-google-se...

Report •

#8
March 7, 2010 at 08:02:53
Here is the Combo-Fix report:

ComboFix 10-03-06.03 - wap04368 03/07/2010 10:45:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1976.1501 [GMT -5:00]
Running from: c:\documents and settings\wap04368\Desktop\Combo-Fix.exe
AV: ISS Proventia 9.0.226.2212 *On-access scanning enabled* (Outdated) {B7252927-A948-4572-B610-4BD0952B2F93}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: ISS Proventia 9.0.226.2084 *enabled* {54260755-E399-4C76-B04C-9E6DD83D72FC}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1935655697-1177238915-1417001333-500
c:\windows\run.log
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-06 21:36 . 2010-03-06 21:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-06 21:36 . 2010-03-06 21:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-04 01:49 . 2010-03-04 01:50 -------- d-----w- c:\documents and settings\wap04368\Application Data\C1E4D68BB15AE0C1A2EF3E7005EBF819
2010-02-24 18:22 . 2010-02-24 18:22 -------- d-----w- c:\documents and settings\wap04368\Local Settings\Application Data\Apple Computer
2010-02-17 14:48 . 2003-04-18 23:06 32256 ----a-w- c:\windows\system32\ntrights.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 21:43 . 2008-04-14 00:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-05 22:14 . 2010-03-05 22:14 -------- d-----w- c:\documents and settings\wap04368\Application Data\Malwarebytes
2010-03-05 22:14 . 2010-03-05 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 21:08 . 2010-02-01 14:26 -------- d-----w- c:\program files\CaseFinder
2010-03-05 03:24 . 2009-12-23 01:17 -------- d-----w- c:\program files\Oracle
2010-03-05 03:24 . 2009-11-17 15:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-24 13:51 . 2010-01-13 16:12 -------- d-----w- c:\documents and settings\wap04368\Application Data\VITA
2010-02-24 13:50 . 2010-02-17 14:48 0 ----a-w- c:\windows\marker-inventory.tmp
2010-01-26 14:37 . 2009-11-17 14:27 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-25 14:59 . 2010-01-25 14:59 -------- d-----w- c:\documents and settings\wap04368\Application Data\webex
2010-01-20 16:01 . 2010-01-20 16:01 -------- d-----w- c:\program files\MSECache
2010-01-20 15:15 . 2010-01-18 21:12 57104 ----a-w- c:\documents and settings\wap04368\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-20 01:11 . 2010-01-20 01:11 -------- d-----w- c:\program files\MSBuild
2010-01-20 01:11 . 2010-01-20 01:11 -------- d-----w- c:\program files\Reference Assemblies
2010-01-14 21:25 . 2009-11-17 14:31 -------- d-----w- c:\program files\Altiris
2010-01-14 21:25 . 2010-01-14 21:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-13 17:03 . 2010-01-13 17:02 -------- d-----w- c:\program files\Readiris Pro 11 HP
2010-01-13 16:53 . 2010-01-13 16:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HP1319EWS_01005.Wdf
2010-01-13 16:52 . 2010-01-13 16:52 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HP1319FAX_01005.Wdf
2010-01-13 16:51 . 2009-12-23 00:51 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-13 16:47 . 2010-01-13 16:47 -------- d-----w- c:\program files\HP
2010-01-13 16:47 . 2010-01-13 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-13 16:47 . 2010-01-13 16:47 57104 ----a-w- c:\documents and settings\VITA_Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 16:47 . 2010-01-13 16:47 -------- d-----w- c:\documents and settings\VITA_Admin\Application Data\HP
2010-01-13 16:20 . 2009-12-23 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Attachmate
2010-01-13 16:12 . 2009-11-17 15:11 -------- d-----w- c:\program files\QuickTime
2009-12-31 16:50 . 2009-11-17 17:16 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-23 01:17 . 2009-11-17 14:31 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2009-12-23 01:07 . 2009-12-23 01:07 95808 ----a-w- c:\windows\PSEXESVC.EXE
2009-12-23 00:53 . 2009-12-23 00:53 41 ----a-w- C:\AClient.dat
2009-12-22 05:21 . 2009-11-17 17:16 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-11-17 17:15 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2009-11-17 14:26 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-11-17 17:15 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2008-04-14 00:54 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"eSupport"="c:\program files\eSupport\bin\sprtcmd.exe" [2009-04-22 202016]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-12-11 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-05 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-05 141848]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-09-03 288312]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2010-03-07 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2009-09-30 152872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2009-12-22 6144]
WinZip Quick Pick.lnk - c:\windows\i386\Software\WinZip\9.1\DSS\WZQKPICK.EXE [2009-12-22 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisallowCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\AMInit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3102109963-2641124013-111641105-444385\Scripts\Logoff\0\0]
"Script"=%SYSTEMROOT%\SvcAreaUserLogoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3102109963-2641124013-111641105-444385\Scripts\Logon\0\0]
"Script"=\\cov.virginia.gov\netlogon\LogonScripts\SvcAreas\Start-Logon-v2.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3102109963-2641124013-111641105-444385\Scripts\Logon\1\0]
"Script"=GP-OU-U-0000 Reconfigure Mail Profile to Prefer RPC over HTTPS.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Documents and Settings\\wap04368\\Desktop\\Combo-Fix.exe"=

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 2:14 AM 24064]
R1 ATMDLC;Attachmate DLC Protocol;c:\windows\system32\drivers\atmdlc.sys [7/20/2009 10:37 AM 35270]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [3/7/2007 3:22 PM 9216]
R2 BlackICE;BlackICE;c:\program files\ISS\Proventia Desktop\blackd.exe [12/22/2009 8:24 PM 2093322]
R2 HPM1319RcvFaxSrvc;HP M1319 Receive Fax Service;c:\program files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe [3/27/2008 3:24 PM 348160]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [4/22/2009 10:53 AM 1221928]
R2 sprtsvc_esupport;SupportSoft Sprocket Service (esupport);c:\program files\eSupport\bin\sprtsvc.exe [4/22/2009 10:53 AM 202016]
R2 tgsrvc_esupport;SupportSoft Repair Service (esupport);c:\program files\eSupport\bin\tgsrvc.exe [4/22/2009 10:53 AM 148768]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [12/22/2009 8:24 PM 405770]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [6/12/2008 6:40 AM 477696]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [12/22/2009 7:51 PM 228408]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/17/2009 12:16 PM 238736]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/23/2008 3:31 AM 44800]
R3 MakoNT;MakoNT;c:\windows\system32\drivers\isskboep.sys [12/22/2009 8:24 PM 80512]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [12/22/2009 8:24 PM 50163]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [12/19/2006 6:08 PM 47616]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [12/22/2009 8:24 PM 205938]
S3 HP1319EWS;HP1319EWS;c:\windows\system32\drivers\HP1319EWS.sys [1/13/2010 11:53 AM 12800]
S3 HP1319FAX;HP1319MFP FAX;c:\windows\system32\drivers\HP1319FAX.sys [1/13/2010 11:52 AM 13824]
S3 OracleOracleClientCache;OracleOracleClientCache;c:\oracle8i\bin\ONRSD.EXE --> c:\oracle8i\bin\ONRSD.EXE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\StandbyPowerConfig]
2010-01-26 15:44 125917 ----a-w- c:\windows\i386\Software\Scripts\StandbySet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2008-04-14 12:00 99840 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://localagency.dss.state.va.us/
mStart Page = hxxp://spark.dss.virginia.gov
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: projcena
Trusted Zone: state.va.us\surya2.dss
Trusted Zone: state.va.us\surya4.dss
Trusted Zone: projcena
Trusted Zone: state.va.us\surya2.dss
Trusted Zone: state.va.us\surya4.dss
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
ActiveSetup-FlashPlayer10.0.32.18 - msiexec
ActiveSetup-Quicktime7.6.4 - msiexec
ActiveSetup-RealPlayer11.0.6 - msiexec
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 10:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2564)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Altiris\AClient\AClient.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\system32\ccsrvc.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\imapi.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\ISS\Proventia Desktop\RapApp.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\progra~1\Altiris\CARBON~1\client.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-03-07 10:59:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 15:59

Pre-Run: 105,944,203,264 bytes free
Post-Run: 106,234,077,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 38677119A4488069C1E8096768BA8598

Thanks again, let me know what you think.


Report •

#9
March 7, 2010 at 08:24:18
If you are not being redirected we were successful.

Delete DDS from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#10
March 7, 2010 at 17:29:51
Great, everything looks to be in order. Thanks so much for your help.

Report •

#11
March 7, 2010 at 17:45:38
Glad we could help.

Report •

Ask Question