formula1nyc

This all started with google redirect...any link I'd click on google after doing a search and it would send me to an Ad site.

Mcafee showed nothing, Spybot nothing but I ran Malwarebytes antimalware and that detected "Backdoor.Bot"

Malwarebytes removed a file called "instaler.exe"

Thanks


DDS output below:


DDS (Ver_09-06-26.01) - NTFSx86
Run by XXXX at 16:43:01.46 on Fri 06/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.165 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\e-buro.exe
C:\WINNT\system32\APSmscan.exe
svchost.exe
C:\Program Files\Equant\dialer\EACSvrMngr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Oracle\ODrive\XfsSvcCon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\quickres.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\e-buroUI.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\sj655\hpupdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Oracle\ODrive\odrive.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Oracle\ODrive\ODFWAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\JTVD9204\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by e-buro
uStart Page = hxxp://connection.equant.com
uSearch Bar = hxxp://recherche.si.francetelecom.fr
mDefault_Page_URL = hxxp://connection.equant.com
uInternet Settings,ProxyOverride = <local>
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {310244ee-eceb-f485-b84a-d69d7c9dd688} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\winnt\system32\dla\tfswshx.dll
BHO: ODriveAdvPropHelper Class: {5d33b3e0-4fb3-4ed1-9106-b6eb06a3b7c2} - c:\winnt\system32\ODriveHelper.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [USRPKGS] c:\winnt\usrpkgs\launch.vbs
mRun: [eburoUI] "c:\winnt\system32\e-buroUI.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [dla] c:\winnt\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.vbs"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Update 4200C] c:\sj655\hpupdate.exe 4200C+
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
mExplorerRun: [1] quickres.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\oracle~1.lnk - c:\program files\oracle\odrive\odrive.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: StartRunNoHOMEPATH = 1 (0x1)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-explorer: Btn_Back = 1 (0x1)
uPolicies-explorer: Btn_Forward = 1 (0x1)
uPolicies-explorer: Btn_Stop = 1 (0x1)
uPolicies-explorer: Btn_Refresh = 1 (0x1)
uPolicies-explorer: Btn_Home = 1 (0x1)
uPolicies-explorer: Btn_Search = 1 (0x1)
uPolicies-explorer: Btn_Favorites = 1 (0x1)
uPolicies-explorer: Btn_History = 1 (0x1)
uPolicies-explorer: Btn_Media = 2 (0x2)
uPolicies-explorer: Btn_Folders = 2 (0x2)
uPolicies-explorer: Btn_Fullscreen = 1 (0x1)
uPolicies-explorer: Btn_Tools = 1 (0x1)
uPolicies-explorer: Btn_MailNews = 2 (0x2)
uPolicies-explorer: Btn_Size = 1 (0x1)
uPolicies-explorer: Btn_Print = 1 (0x1)
uPolicies-explorer: Btn_Edit = 1 (0x1)
uPolicies-explorer: Btn_Discussions = 2 (0x2)
uPolicies-explorer: Btn_Cut = 2 (0x2)
uPolicies-explorer: Btn_Copy = 1 (0x1)
uPolicies-explorer: Btn_Paste = 2 (0x2)
uPolicies-explorer: Btn_Encoding = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
mPolicies-explorer: nosmconfigureprograms = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: RunLogonScriptSync = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - hxxp://srvgpw685d.ren.globalone.net/iNotes.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 TivoliAP
LSA: Notification Packages =

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jtvd9204\applic~1\mozilla\firefox\profiles\3uouf8xo.default\
FF - plugin: c:\program files\plugins\npatgpc.dll
FF - HiddenExtension: XUL Cache: {8CA85E2F-747D-4F76-A7C1-2B2E2AE6F02B} - c:\documents and settings\jtvd9204\local settings\application data\{8CA85E2F-747D-4F76-A7C1-2B2E2AE6F02B}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2009-3-25 205608]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R1 TDFSD;TDFSD;c:\winnt\system32\drivers\tdfsd.sys [2009-2-25 945984]
R1 TGrab;Tivoli Remote Control Text Grabber;c:\winnt\system32\drivers\TGRAB.SYS [2008-1-19 6688]
R2 APSMDrv;Intranet Server Client Software Usage driver;c:\winnt\system32\drivers\APSMDrv.sys [2009-3-25 3223]
R2 APSMScan;Intranet Server Client Software Usage;APSmscan.exe --> APSmscan.exe [?]
R2 eburo;Service e-buro;c:\winnt\system32\e-buro.exe [2008-7-8 98304]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2008-3-26 1455424]
R2 i2050QoSSvc;Nortel IP Softphone 2050 QoS;c:\program files\nortel\ip softphone 2050\i2050QosSvc.exe [2007-12-24 114688]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-25 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
R2 MouEx2;Tivoli Remote Control Pointer Filter;c:\winnt\system32\drivers\MOUEX2.SYS [2008-1-19 2898]
R2 OdService;ODrive Service;c:\program files\oracle\odrive\xfssvccon.exe svcmanager --> c:\program files\oracle\odrive\XfsSvcCon.exe svcmanager [?]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2009-3-25 24521]
R3 eDataVideoCap;eDataVideoCap;c:\winnt\system32\drivers\eDataVideoCap.sys [2009-4-1 25600]
R3 FirehkMP;FirehkMP;c:\winnt\system32\drivers\firehk.sys [2008-2-29 42056]
R3 HIPK;McAfee Inc. HIPK;c:\winnt\system32\drivers\HIPK.sys [2009-3-25 100104]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\winnt\system32\drivers\HIPPSK.sys [2009-3-25 30856]
R3 HIPQK;McAfee Inc. HIPQK;c:\winnt\system32\drivers\HIPQK.sys [2009-3-25 27976]
R3 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-3-25 46400]
R3 KeyEx2;Tivoli Remote Control Keyboard Filter;c:\winnt\system32\drivers\KEYEX2.SYS [2008-1-19 5751]
R3 mfeavfk;McAfee Inc.;c:\winnt\system32\drivers\mfeavfk.sys [2009-3-25 72936]
R3 mfebopk;McAfee Inc.;c:\winnt\system32\drivers\mfebopk.sys [2009-3-25 33960]
RUnknown anvpvv;anvpvv; [x]
S2 goxmtpda;Bluetooth Port Controller;c:\winnt\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 SicltNT;Intranet Server Client;SICLT32.EXE --> SICLT32.EXE [?]
S3 APSINV;APSINV;c:\winnt\system32\drivers\APSINV.SYS [2009-3-25 23408]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\winnt\system32\drivers\firehk.sys [2008-2-29 42056]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2009-3-25 155216]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\winnt\system32\drivers\nwdelmdm.sys [2007-5-30 92288]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\winnt\system32\drivers\nwdelser.sys [2007-5-30 92288]

=============== Created Last 30 ================

2009-06-26 14:55 75,072 a------- c:\winnt\system32\HIPIS0e0015b.dll
2009-06-26 14:55 113 a------- c:\winnt\system32\api_hook_list.dat
2009-06-26 13:35 0 a------- c:\program files\.autoreg
2009-06-23 16:51 <DIR> --d----- c:\program files\common files\HP
2009-06-23 16:50 626,960 a----r-- c:\winnt\system32\hpvaut32.dll
2009-06-23 16:50 487,424 a----r-- c:\winnt\system32\hpvcp70.dll
2009-06-23 16:50 344,064 a----r-- c:\winnt\system32\hpvcr70.dll
2009-06-23 16:50 44,544 a----r-- c:\winnt\system32\MSXML4a.dll
2009-06-23 16:31 102,006 -------- c:\winnt\hpoins04.dat.temp
2009-06-23 16:31 17,218 -------- c:\winnt\hpomdl04.dat.temp
2009-06-23 15:38 <DIR> --d----- c:\docume~1\jtvd9204\applic~1\Printer Info Cache
2009-06-21 12:27 69,120 a------- c:\winnt\system32\drivers\SKYNETlnxvqitw.syssws
2009-06-21 12:27 69,120 a------- c:\winnt\system32\drivers\SKYNETlnxvqitw.sys
2009-06-16 09:28 81,920 a------- c:\winnt\system32\cpwmon2k.dll
2009-06-16 09:28 49,152 a------- c:\winnt\system32\uninscpw.exe
2009-06-16 09:28 221,184 a------- c:\winnt\system32\cpwsave.exe
2009-06-16 09:28 <DIR> --d----- c:\program files\Acro Software
2009-06-16 09:28 <DIR> --d----- c:\program files\gs8.14
2009-06-16 09:27 <DIR> --d----- c:\documents and settings\jtvd9204\WINDOWS
2009-06-03 10:54 4,764 a------- c:\winnt\system32\CcmFramework.ini
2009-06-03 10:54 621 a------- c:\winnt\system32\CcmFramework.h
2009-06-03 10:53 <DIR> --d----- c:\winnt\ms
2009-06-03 10:50 <DIR> --d----- c:\program files\Windows Imaging
2009-06-03 10:50 <DIR> -cd-h--- c:\winnt\$UninstallRDC$
2009-06-03 10:50 <DIR> --d----- c:\program files\MSXML 6.0
2009-06-03 10:02 <DIR> --d----- c:\winnt\system32\bits
2009-06-03 10:02 7,168 -c------ c:\winnt\system32\dllcache\bitsprx4.dll
2009-06-03 10:02 7,168 -------- c:\winnt\system32\bitsprx4.dll
2009-05-27 23:26 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-06-26 13:36 4,060 a------- c:\program files\updates.xml
2009-06-26 13:36 57 a------- c:\program files\active-update.xml
2009-06-26 13:36 9,777,144 a------- c:\program files\xul.dll
2009-06-23 16:54 104,168 a------- c:\winnt\hpoins04.dat
2009-06-17 11:27 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\winnt\system32\deploytk.dll
2009-05-05 10:20 51,304 a------- c:\winnt\system32\drivers\atnt40k.sys
2009-05-05 10:20 202,323 a------- c:\winnt\system32\atasnt40.dll
2009-04-04 21:24 262,144 a------- c:\winnt\system32\default_user_class.dat
2009-04-04 21:19 119,808 a------- C:\VundoFix.exe
2009-04-04 15:51 778 a------- c:\program files\zpqlkk.txt
2009-03-26 18:58 19,303 a------- c:\program files\install.log

============= FINISH: 16:43:15.73 ===============

Attached Files

attach.zip (5.8 KB, 5 views)

chemist

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

Download ResetTeaTimer

• and Save it to your Desktop.
• Double-click ResetTeaTimer.zip
• Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.
• A DOS window will open and close again, this is normal.

------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Please see this >> http://img.photobucket.com/albums/v6...ee_disable.gif

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

Please download GooredFix and Save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes
• GooredFix will check for infections, and then a log will appear.
• Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

------------------------------------------------------

formula1nyc

Thanks for the reply, although I think I was able to get rid of it after opening the thread.

I used MBAM + Combofix to get rid of the trojan and have been running dds, gmer, and combofix for the past couple of days to make sure it hasn't returned.

At any rate, I disabled Teatimer and ran Combofix and Gooredfix. I cannot disable antivirus because I do not have admin access on this machine.

GOORED OUTPUT:

GooredFix by jpshortstuff (30.06.09)
Log created at 00:34 on 01/07/2009 (xxxUSERxxx)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:09 25/03/2009]

-=E.O.F=-


Ive made some minor edits to hide the trusted sites as well as the user name of the box. Other than that, nothing was modified


And the COMBOFIX output:

ComboFix 09-06-28.01 - xxUSERxx 07/01/2009 0:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.489 [GMT -4:00]
Running from: c:\documents and settings\xxUSERxx\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-29 04:15 . 2009-06-29 04:15 -------- d-----w- c:\winnt\ms
2009-06-29 04:11 . 2009-06-29 04:11 -------- dc----w- c:\winnt\system32\dllcache\cache
2009-06-29 03:59 . 2009-06-29 15:41 -------- d-----w- c:\winnt\system32\NtmsData
2009-06-23 20:57 . 2009-06-23 20:57 -------- d-----w- c:\documents and settings\xxUSERxx\Local Settings\Application Data\IsolatedStorage
2009-06-23 20:57 . 2009-06-23 20:57 -------- d-----w- c:\documents and settings\xxUSERxx\Local Settings\Application Data\HP
2009-06-23 20:57 . 2009-06-23 20:57 131 ----a-w- c:\documents and settings\xxUSERxx\Local Settings\Application Data\fusioncache.dat
2009-06-23 20:51 . 2009-06-23 20:51 -------- d-----w- c:\program files\Common Files\HP
2009-06-23 20:50 . 2009-06-23 20:50 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-23 20:50 . 2009-06-23 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-06-23 20:50 . 2004-05-11 14:53 626960 ----a-r- c:\winnt\system32\hpvaut32.dll
2009-06-23 20:50 . 2004-05-11 14:53 487424 ----a-r- c:\winnt\system32\hpvcp70.dll
2009-06-23 20:50 . 2004-05-11 14:53 44544 ----a-r- c:\winnt\system32\MSXML4a.dll
2009-06-23 20:50 . 2004-05-11 14:53 344064 ----a-r- c:\winnt\system32\hpvcr70.dll
2009-06-23 20:49 . 2009-06-23 20:49 45056 ----a-r- c:\documents and settings\xxUSERxx\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2009-06-23 19:38 . 2009-06-23 19:38 -------- d-----w- c:\documents and settings\xxUSERxx\Application Data\Printer Info Cache
2009-06-23 19:38 . 2009-06-23 19:38 -------- d-----w- c:\documents and settings\xxUSERxx\Application Data\Image Zone Express
2009-06-18 01:05 . 2009-06-26 19:59 -------- d-----w- c:\documents and settings\xxUSERxx\Local Settings\Application Data\Deployment
2009-06-16 13:28 . 2004-05-09 22:29 81920 ----a-w- c:\winnt\system32\cpwmon2k.dll
2009-06-16 13:28 . 2004-05-04 16:18 49152 ----a-w- c:\winnt\system32\uninscpw.exe
2009-06-16 13:28 . 2009-06-16 13:28 -------- d-----w- c:\program files\Acro Software
2009-06-16 13:28 . 2004-05-04 16:02 221184 ----a-w- c:\winnt\system32\cpwsave.exe
2009-06-16 13:28 . 2009-06-16 13:28 -------- d-----w- c:\program files\gs8.14
2009-06-16 13:27 . 2009-06-16 13:27 -------- d-----w- c:\documents and settings\xxUSERxx\WINDOWS
2009-06-11 16:39 . 2009-06-11 16:39 152576 ----a-w- c:\documents and settings\xxUSERxx\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 14:50 . 2009-06-03 14:50 -------- d-----w- c:\program files\Windows Imaging
2009-06-03 14:50 . 2009-06-03 14:50 -------- dc-h--w- c:\winnt\$UninstallRDC$
2009-06-03 14:50 . 2009-06-03 14:50 -------- d-----w- c:\program files\MSXML 6.0
2009-06-03 14:02 . 2009-06-03 14:02 -------- d-----w- c:\winnt\system32\bits
2009-06-03 14:02 . 2007-05-24 13:20 7168 -c--a-w- c:\winnt\system32\dllcache\bitsprx4.dll
2009-06-03 14:02 . 2007-05-24 13:20 7168 ----a-w- c:\winnt\system32\bitsprx4.dll
2009-06-03 14:01 . 2009-06-03 14:01 581 ----a-w- c:\documents and settings\LocalService\SCCM_Clinst.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 12:37 . 2009-03-26 22:58 -------- d-----w- c:\program files\extensions
2009-06-29 04:10 . 2009-03-27 13:31 48376 ----a-w- c:\documents and settings\xxUSERxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 19:53 . 2009-04-04 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-26 18:06 . 2009-04-04 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 18:05 . 2009-04-07 04:31 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 17:35 . 2009-03-26 22:58 17912 ----a-w- c:\program files\xpcom.dll
2009-06-23 20:54 . 2009-04-06 01:11 104168 ----a-w- c:\winnt\hpoins04.dat
2009-06-23 20:52 . 2009-04-06 01:12 -------- d-----w- c:\program files\HP
2009-06-23 18:54 . 2009-06-23 18:51 1480 ----a-w- c:\winnt\AUTOLNCH.REG
2009-06-17 15:27 . 2009-04-04 19:22 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-04-04 19:22 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-06-11 16:40 . 2008-01-19 11:04 -------- d-----w- c:\program files\Java
2009-06-04 15:05 . 2009-05-05 14:21 -------- d-----w- c:\documents and settings\xxUSERxx\Application Data\webex
2009-05-28 03:26 . 2009-05-28 03:26 -------- d-----w- c:\program files\MSECache
2009-05-21 16:47 . 2009-03-25 18:20 -------- d-----w- c:\program files\Nortel Networks
2009-05-21 15:33 . 2009-03-25 18:09 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-05-05 14:20 . 2009-05-05 14:20 51304 ----a-w- c:\winnt\system32\drivers\atnt40k.sys
2009-05-05 14:20 . 2009-05-05 14:20 202323 ----a-w- c:\winnt\system32\atasnt40.dll
2009-04-05 01:24 . 2009-04-04 19:51 262144 ----a-w- c:\winnt\system32\default_user_class.dat
2009-04-05 01:19 . 2009-04-05 01:19 119808 ----a-w- C:\VundoFix.exe
2009-04-04 19:51 . 2009-04-04 19:51 778 ----a-w- c:\program files\zpqlkk.txt
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_04.09.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 15:41 . 2009-06-29 15:41 16384 c:\winnt\Temp\Perflib_Perfdata_4c4.dat
+ 2009-06-29 15:41 . 2009-06-29 15:41 16384 c:\winnt\Temp\Perflib_Perfdata_3f8.dat
+ 2002-08-29 12:00 . 2009-06-29 04:15 64166 c:\winnt\system32\perfc009.dat
+ 2009-06-29 04:11 . 2008-01-23 22:34 53592 c:\winnt\system32\dllcache\cache\wuauclt.exe
+ 2009-06-29 04:11 . 2004-08-03 22:56 82944 c:\winnt\system32\dllcache\cache\ws2_32.dll
+ 2009-06-29 04:11 . 2004-08-03 22:56 24576 c:\winnt\system32\dllcache\cache\userinit.exe
+ 2009-06-29 04:11 . 2004-08-03 22:56 14336 c:\winnt\system32\dllcache\cache\svchost.exe
+ 2009-06-29 04:11 . 2005-06-10 23:53 57856 c:\winnt\system32\dllcache\cache\spoolsv.exe
+ 2009-06-29 04:11 . 2004-08-03 22:56 17408 c:\winnt\system32\dllcache\cache\powrprof.dll
+ 2009-06-29 04:11 . 2004-08-03 22:56 13312 c:\winnt\system32\dllcache\cache\lsass.exe
+ 2009-06-29 04:11 . 2004-08-03 20:58 24576 c:\winnt\system32\dllcache\cache\kbdclass.sys
+ 2009-06-29 04:11 . 2004-08-03 21:00 29056 c:\winnt\system32\dllcache\cache\ip6fw.sys
+ 2009-06-29 04:11 . 2004-08-03 22:56 15360 c:\winnt\system32\dllcache\cache\ctfmon.exe
+ 2002-08-29 12:00 . 2009-06-29 04:15 406258 c:\winnt\system32\perfh009.dat
+ 2009-06-29 04:11 . 2004-08-03 22:56 502272 c:\winnt\system32\dllcache\cache\winlogon.exe
+ 2009-06-29 04:11 . 2009-02-20 08:14 668160 c:\winnt\system32\dllcache\cache\wininet.dll
+ 2009-06-29 04:11 . 2007-03-08 15:36 577536 c:\winnt\system32\dllcache\cache\user32.dll
+ 2009-06-29 04:11 . 2004-08-03 22:56 295424 c:\winnt\system32\dllcache\cache\termsrv.dll
+ 2009-06-29 04:11 . 2008-06-20 10:45 360320 c:\winnt\system32\dllcache\cache\tcpip.sys
+ 2009-06-29 04:11 . 2009-02-06 10:22 110592 c:\winnt\system32\dllcache\cache\services.exe
+ 2009-06-29 04:11 . 2004-08-03 21:14 182912 c:\winnt\system32\dllcache\cache\ndis.sys
+ 2009-06-29 04:11 . 2009-03-21 14:18 986112 c:\winnt\system32\dllcache\cache\kernel32.dll
+ 2009-06-29 04:11 . 2004-08-03 22:56 110080 c:\winnt\system32\dllcache\cache\imm32.dll
+ 2009-06-29 04:11 . 2004-08-03 22:56 167936 c:\winnt\system32\dllcache\cache\appmgmts.dll
+ 2009-06-29 04:11 . 2004-08-03 22:56 1580544 c:\winnt\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-29 04:11 . 2009-02-06 10:29 2142720 c:\winnt\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-29 04:11 . 2009-02-06 09:49 2020864 c:\winnt\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-29 04:11 . 2007-06-13 10:23 1033216 c:\winnt\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2007-05-16 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"USRPKGS"="c:\winnt\usrpkgs\launch.vbs" [2005-06-29 4927]
"eburoUI"="c:\winnt\system32\e-buroUI.exe" [2008-07-08 159744]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-11-08 136512]
"dla"="c:\winnt\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.vbs" [2006-07-04 13139]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2008-06-04 963904]
"Synchronization Manager"="c:\winnt\system32\mobsync.exe" [2004-08-03 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"MSConfig"="c:\winnt\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-03 158208]
"SigmatelSysTrayApp"="stsystra.exe" - c:\winnt\stsystra.exe [2007-02-19 303104]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\winnt\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-05 3900936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Oracle Drive.lnk - c:\program files\Oracle\ODrive\odrive.exe [2009-2-25 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"nosmconfigureprograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"StartRunNoHOMEPATH"= 1 (0x1)
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Back"= 1 (0x1)
"Btn_Forward"= 1 (0x1)
"Btn_Stop"= 1 (0x1)
"Btn_Refresh"= 1 (0x1)
"Btn_Home"= 1 (0x1)
"Btn_Search"= 1 (0x1)
"Btn_Favorites"= 1 (0x1)
"Btn_History"= 1 (0x1)
"Btn_Media"= 2 (0x2)
"Btn_Folders"= 2 (0x2)
"Btn_Fullscreen"= 1 (0x1)
"Btn_Tools"= 1 (0x1)
"Btn_MailNews"= 2 (0x2)
"Btn_Size"= 1 (0x1)
"Btn_Print"= 1 (0x1)
"Btn_Edit"= 1 (0x1)
"Btn_Discussions"= 2 (0x2)
"Btn_Cut"= 2 (0x2)
"Btn_Copy"= 1 (0x1)
"Btn_Paste"= 2 (0x2)
"Btn_Encoding"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 TivoliAP

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-854245398-789336058-682003330-619841\Scripts\Logoff\0\0]
"Script"=Launch_logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-854245398-789336058-682003330-619841\Scripts\Logon\0\0]
"Script"=Launch_logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-854245398-789336058-682003330-619841\Scripts\Logon\1\0]
"Script"=wscript.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"system tool"=c:\winnt\sysguard.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=

R1 TDFSD;TDFSD;c:\winnt\system32\drivers\tdfsd.sys [2/25/2009 11:37 AM 945984]
R1 TGrab;Tivoli Remote Control Text Grabber;c:\winnt\system32\drivers\TGRAB.SYS [1/19/2008 7:05 AM 6688]
R2 APSMDrv;Intranet Server Client Software Usage driver;c:\winnt\system32\drivers\APSMDrv.sys [3/25/2009 2:26 PM 3223]
R2 APSMScan;Intranet Server Client Software Usage;APSmscan.exe --> APSmscan.exe [?]
R2 eburo;Service e-buro;c:\winnt\system32\e-buro.exe [7/8/2008 2:49 PM 98304]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [3/26/2008 12:33 PM 1455424]
R2 i2050QoSSvc;Nortel IP Softphone 2050 QoS;c:\program files\Nortel\IP Softphone 2050\i2050QosSvc.exe [12/24/2007 5:36 PM 114688]
R2 MouEx2;Tivoli Remote Control Pointer Filter;c:\winnt\system32\drivers\MOUEX2.SYS [1/19/2008 7:05 AM 2898]
R2 OdService;ODrive Service;c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager --> c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager [?]
R2 SicltNT;Intranet Server Client;SICLT32.EXE --> SICLT32.EXE [?]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [3/25/2009 2:20 PM 24521]
R3 eDataVideoCap;eDataVideoCap;c:\winnt\system32\drivers\eDataVideoCap.sys [4/1/2009 9:36 AM 25600]
R3 FirehkMP;FirehkMP;c:\winnt\system32\drivers\firehk.sys [2/29/2008 11:09 AM 42056]
R3 KeyEx2;Tivoli Remote Control Keyboard Filter;c:\winnt\system32\drivers\KEYEX2.SYS [1/19/2008 7:05 AM 5751]
S2 goxmtpda;Bluetooth Port Controller;c:\winnt\System32\svchost.exe -k netsvcs [8/3/2004 6:56 PM 14336]
S3 APSINV;APSINV;c:\winnt\system32\drivers\APSINV.SYS [3/25/2009 2:27 PM 23408]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\winnt\system32\drivers\firehk.sys [2/29/2008 11:09 AM 42056]
S3 HIPK;McAfee Inc. HIPK;c:\winnt\system32\drivers\HIPK.sys [3/25/2009 2:24 PM 100104]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\winnt\system32\drivers\HIPPSK.sys [3/25/2009 2:24 PM 30856]
S3 HIPQK;McAfee Inc. HIPQK;c:\winnt\system32\drivers\HIPQK.sys [3/25/2009 2:24 PM 27976]
S3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [3/25/2009 2:23 PM 46400]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [3/25/2009 2:20 PM 155216]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\winnt\system32\drivers\nwdelmdm.sys [5/30/2007 12:50 PM 92288]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\winnt\system32\drivers\nwdelser.sys [5/30/2007 12:50 PM 92288]

--- Other Services/Drivers In Memory ---

*Deregistered* - nxkagakj
*Deregistered* - uphcleanhlp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
goxmtpda

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection c:\winnt\INF\wmactedp.inf,PerUserStub
.
- - - - ORPHANS REMOVED - - - -

BHO-{310244ee-eceb-f485-b84a-d69d7c9dd688} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://connection.xxxcorporatexxx.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: com.ftgroup\one-directory
Trusted Zone: xxxcorporatexxx.com\ipop
Trusted Zone: xxxcorporatexxx.com\km-repository
Trusted Zone: xxxcorporatexxx.com\km-sso
Trusted Zone: xxxcorporatexxx.com\machx
Trusted Zone: xxxcorporatexxx.com\rs2x
Trusted Zone: xxxcorporatexxx.com\www.agence
Trusted Zone: private_web_address.fr\*.sso
Trusted Zone: private_web_address.fr\ca.maquette.ocisi
Trusted Zone: private_web_address.fr\chooser.sso
Trusted Zone: private_web_address.fr\dflp1ebe.intranet-paris
Trusted Zone: private_web_address.fr\emulations.lille
Trusted Zone: private_web_address.fr\emulations.lyon
Trusted Zone: private_web_address.fr\emulations.melun
Trusted Zone: private_web_address.fr\emulations.nanterre
Trusted Zone: private_web_address.fr\emulations.nantes
Trusted Zone: private_web_address.fr\emulations.ocisi
Trusted Zone: private_web_address.fr\emulations.si
Trusted Zone: private_web_address.fr\emulations.strasbourg
Trusted Zone: private_web_address.fr\emulations.toulouse
Trusted Zone: private_web_address.fr\gassi
Trusted Zone: private_web_address.fr\gassi.sso
Trusted Zone: private_web_address.fr\intranoo
Trusted Zone: private_web_address.fr\ipop.si
Trusted Zone: private_web_address.fr\monsi.sso
Trusted Zone: private_web_address.fr\qfsmusic-music.sso
Trusted Zone: private_web_address.fr\siroco-crm
Trusted Zone: private_web_address.fr\webdoc.sso
Trusted Zone: com.ftgroup\one-directory
Trusted Zone: xxxcorporatexxx.com\ipop
Trusted Zone: xxxcorporatexxx.com\km-repository
Trusted Zone: xxxcorporatexxx.com\km-sso
Trusted Zone: xxxcorporatexxx.com\machx
Trusted Zone: xxxcorporatexxx.com\rs2x
Trusted Zone: xxxcorporatexxx.com\www.agence
Trusted Zone: private_web_address.fr\*.sso
Trusted Zone: private_web_address.fr\ca.maquette.ocisi
Trusted Zone: private_web_address.fr\chooser.sso
Trusted Zone: private_web_address.fr\dflp1ebe.intranet-paris
Trusted Zone: private_web_address.fr\emulations.lille
Trusted Zone: private_web_address.fr\emulations.lyon
Trusted Zone: private_web_address.fr\emulations.melun
Trusted Zone: private_web_address.fr\emulations.nanterre
Trusted Zone: private_web_address.fr\emulations.nantes
Trusted Zone: private_web_address.fr\emulations.ocisi
Trusted Zone: private_web_address.fr\emulations.si
Trusted Zone: private_web_address.fr\emulations.strasbourg
Trusted Zone: private_web_address.fr\emulations.toulouse
Trusted Zone: private_web_address.fr\gassi
Trusted Zone: private_web_address.fr\gassi.sso
Trusted Zone: private_web_address.fr\intranoo
Trusted Zone: private_web_address.fr\ipop.si
Trusted Zone: private_web_address.fr\monsi.sso
Trusted Zone: private_web_address.fr\qfsmusic-music.sso
Trusted Zone: private_web_address.fr\siroco-crm
Trusted Zone: private_web_address.fr\webdoc.sso
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\xxUSERxx\Application Data\Mozilla\Firefox\Profiles\3uouf8xo.default\
FF - plugin: c:\program files\plugins\npatgpc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 00:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1956)
c:\winnt\system32\XDNP.dll
c:\winnt\system32\tdshell.dll
c:\winnt\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(2036)
c:\winnt\system32\TivoliAP.dll
.
Completion time: 2009-07-01 0:32
ComboFix-quarantined-files.txt 2009-07-01 04:32
ComboFix2.txt 2009-06-29 04:12

Pre-Run: 18,904,424,960 bytes free
Post-Run: 18,900,696,576 bytes free

303 --- E O F --- 2009-06-22 17:43

chemist

Hello, formula1nyc.

As you should have read here in Step 2 of our NEW INSTRUCTIONS thread:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

------------------------------------------------------

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware. Adminstrator access is required for control of security applications.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

This thread shall be closed.

------------------------------------------------------