[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.1

combofix log, please check

Asked by Jey1980 in Anti-Virus

ComboFix 09-08-04.04 - PavieJ 10/08/2009 11:54.2.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.33.1033.18.1014.506 [GMT 2:00]
Running from: c:\program files\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

.
(((((((((((((((((((((((((   Files Created from 2009-07-10 to 2009-08-10  )))))))))))))))))))))))))))))))
.

2009-08-10 10:02 . 2009-08-10 10:03      53248      ----a-w-      c:\temp\catchme.dll
2009-08-10 09:54 . 2009-08-10 09:54      --------      d-----w-      c:\temp\WPDNSE
2009-08-10 07:34 . 2009-08-10 07:34      16384      ----atw-      c:\temp\Perflib_Perfdata_3b8.dat
2009-08-06 11:10 . 2009-08-06 11:10      3154932      ----a-r-      c:\program files\ComboFix.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 08:18 . 2009-04-17 10:41      --------      d-----w-      c:\documents and settings\PavieJ\Application Data\HPAppData
2009-08-08 19:47 . 2008-04-14 10:59      12      ----a-w-      c:\windows\bthservsdp.dat
2009-08-03 19:52 . 2008-12-10 17:18      --------      d-----w-      c:\program files\Symantec AntiVirus
2009-07-21 12:41 . 2008-04-17 12:20      --------      d-----w-      c:\documents and settings\PavieJ\Application Data\U3
2009-07-16 06:53 . 2009-02-06 20:24      --------      d-----w-      c:\documents and settings\All Users\Application Data\DriverCure
2009-06-29 05:29 . 2008-04-18 13:37      77552      ----a-w-      c:\documents and settings\PavieJ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-26 14:06 . 2009-06-26 14:06      156968      ----a-w-      c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-26 14:04 . 2009-06-26 14:04      --------      d-----w-      c:\program files\MSBuild
2009-06-26 14:04 . 2009-06-26 14:04      --------      d-----w-      c:\program files\Reference Assemblies
2009-06-26 13:56 . 2009-06-26 13:56      --------      d-----w-      c:\program files\MSXML 6.0
2009-06-26 12:57 . 2009-06-26 12:57      289080      ----a-w-      c:\program files\AutodeskDesignRevSetup.exe
2009-06-22 22:36 . 2009-06-22 22:36      --------      d-----w-      c:\program files\ParetoLogic
2009-06-22 22:36 . 2009-05-17 22:33      2988592      ----a-w-      c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\Update.exe
2009-05-25 12:07 . 2009-05-25 11:38      124416      ----a-w-      c:\windows\hpqins00.dat
2009-05-18 22:58 . 2009-05-29 08:35      1693316      ----a-w-      c:\windows\system32\esetup.exe
2009-05-01 19:15 . 2009-05-01 19:15      2488008      ----a-w-      c:\program files\mediacenter.exe
2009-04-21 12:00 . 2009-04-21 11:59      1880648      ----a-w-      c:\program files\TeamViewer_Setup.exe
2009-03-11 14:15 . 2009-03-11 14:14      34175700      ----a-w-      c:\program files\Citadon setup.exe
2009-02-09 09:21 . 2009-02-09 09:21      6561169      ----a-w-      c:\program files\SecureClient_Cluster_09012009.zip
2009-02-06 22:51 . 2009-02-06 22:51      11562257      ----a-w-      c:\program files\The-KMPlayer-FR-241208.exe
2009-02-06 20:33 . 2009-02-06 20:32      52307672      ----a-w-      c:\program files\AVSVideoConverter.exe
2008-09-22 09:38 . 2008-09-22 09:38      27199528      ----a-w-      c:\program files\eDrawingsFullEnglish.exe
2008-06-02 14:35 . 2008-06-02 14:35      1271557      ----a-w-      c:\program files\wrar371fr.exe
2008-04-18 13:04 . 2008-04-18 13:03      213316736      ----a-w-      c:\program files\SetupDWGTrueView2009_32bit_FRA.exe
2008-04-14 14:35 . 2008-04-14 14:35      97694      ----a-w-      c:\program files\install_Windows Media Player_.exe
2008-04-14 11:46 . 2008-04-14 11:46      16500592      ----a-w-      c:\program files\DivXInstaller.exe
.

(((((((((((((((((((((((((((((   SnapShot@2009-08-06_11.27.00   )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-08-05 19:17      72238              c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-08-10 07:39      72238              c:\windows\system32\perfc009.dat
- 2006-08-08 10:50 . 2009-08-01 13:52      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-08-08 10:50 . 2009-08-07 11:03      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-08-08 10:50 . 2009-08-01 13:52      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-08-08 10:50 . 2009-08-07 11:03      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-08-08 10:50 . 2009-08-07 11:03      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-08-08 10:50 . 2009-08-01 13:52      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-04 12:00 . 2009-08-05 19:17      444362              c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-08-10 07:39      444362              c:\windows\system32\perfh009.dat
+ 2006-08-08 11:29 . 2009-08-10 07:34      296480              c:\windows\system32\FNTCACHE.DAT
- 2006-08-08 11:29 . 2009-07-18 11:12      296480              c:\windows\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"DriverCure"="c:\program files\ParetoLogic\DriverCure\DriverCure.exe" [2009-04-26 3023640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2009-01-09 233472]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"bginfo"="c:\documents and settings\all users\application data\ech\bginfo.exe" [2008-02-06 963624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-04-17 115560]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-16 397312]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Powerproject Startup.lnk - c:\program files\Asta\Asta Powerproject\Teamplan.exe [2007-2-13 3485785]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 5 (0x5)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-01-29 14:14      24669      ----a-w-      c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-16764\Scripts\Logon\0\0]
"Script"=CachedMode.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-16764\Scripts\Logon\1\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\echarris.local\Scripts\printers.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\0\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\echarris.local\Scripts\printers.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\1\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\renamecatosqlechq.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\1\1]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\eolscript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\1\2]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\renameearthworksechq.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\2\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\nongmologinrebrandmay09.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\3\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\echarris.local\Scripts\killgoogledesktopalerts.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\3\1]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\Fix_GDS_Excelerator.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-32117\Scripts\Logon\4\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\savlagcheck.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-70174\Scripts\Logon\0\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\echarris.local\Scripts\printers.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-70174\Scripts\Logon\1\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\wallpaper.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-70186\Scripts\Logon\0\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\echarris.local\Scripts\printers.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1888580068-4072715215-3066545148-70186\Scripts\Logon\1\0]
"Script"=\\ECHARRIS.LOCAL\SysVol\ECHARRIS.LOCAL\Scripts\wallpaper.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 20:00 26624]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [29/01/2008 16:15 2235760]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [29/01/2008 16:15 47504]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [23/03/2009 11:35 185640]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [29/01/2008 16:15 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [29/01/2008 16:15 673872]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 20:00 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/03/2009 10:41 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [17/04/2009 09:24 23888]
S3 G3GRUMDM;G3G R USB Modem;c:\windows\system32\drivers\g3grumdm.sys [26/09/2008 16:06 26496]
S3 G3GRUSER;G3G R USB Serial;c:\windows\system32\drivers\g3gruser.sys [26/09/2008 16:06 23296]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt      REG_MULTI_SZ         hpqcxs08 hpqddsvc
HPService      REG_MULTI_SZ         HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-04-26 12:44]

2009-08-05 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-06-26 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myportal.echarris.com
uInternet Connection Wizard,ShellNext = hxxp://echonew/live
uInternet Settings,ProxyServer = internetuk.echarris.local:8080
uInternet Settings,ProxyOverride = *.echarris.com;*.local;10.*;*.echarris.local;*.epin-portal.com;*.cephren.co.uk;*.bcis.co.uk;hxxp://www.tionestop.com;*.cadweb.net;http://www.rs-uk.co.uk;*.citadon.co.uk;http://echonew*;*.lehman.com;172.16.2.6;*.brixhamfishmarket.info;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: citadon.com
Trusted Zone: echarris.com
Trusted Zone: echarris.local
Trusted Zone: uk1immstsweb1vm
Trusted Zone: uk1immtstweb1vm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
DPF: {6BD88D94-03D2-4ABF-99A3-78E9C87DFCA5} - hxxps://abw.echarris.com/agresso/api/com/axmlcomp.cab
FF - ProfilePath - c:\documents and settings\paviej\Application Data\Mozilla\Firefox\Profiles\1k703k36.default\
FF - prefs.js: browser.startup.homepage - hxxp://myportal.echarris.com/
FF - prefs.js: network.proxy.ftp - internetuk.echarris.local
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - internetuk.echarris.local
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - internetuk.echarris.local
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - internetuk.echarris.local
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - internetuk.echarris.local
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 12:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1952)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-08-10 12:06
ComboFix-quarantined-files.txt  2009-08-10 10:06
ComboFix2.txt  2009-08-06 11:30

Pre-Run: 2,822,086,656 bytes free
Post-Run: 2,796,343,296 bytes free

217
[+][-]08/10/09 06:31 PM, ID: 25065566Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zone: Anti-Virus
Sign Up Now!
Solution Provided By: greyknight17
Participating Experts: 2
Solution Grade: B
 
[+][-]08/10/09 10:14 AM, ID: 25061829Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091118-EE-VQP-93 - Hierarchy / EE_QW_3_20080625