Search links hijacked

Status
Not open for further replies.
J

joshbtc

Hi, last week I started getting random redirects from the links in search engine results (tried Google, Yahoo) in both FireFox and IE. I did full system scans with McAfee, Malwarebytes, and Spybot S&D (all of which turned up nothing) before coming across the TechSpot forums. I did find a program called "SearchAssist" in Add/Remove Programs that I had not seen before or knowingly installed, so I removed that.

Anyway, I have since gone through the 8-step instructions and I am attaching my results here. The DDS Attach.txt file is zipped as instructed by the program. Please note that I was blocked from disabling McAfee's On-Access Scanner when running the diagnostics, but there didn't seem to be any conflicts.

I would greatly appreciate any help that anyone can offer. I'm at my wit's end!

Thanks,
Josh
 

Attachments

  • mbam-log-2010-06-15 (09-17-38).txt
    894 bytes · Views: 1
  • gmer.log
    83.6 KB · Views: 1
  • DDS.txt
    16.7 KB · Views: 1
  • Attach.zip
    4.8 KB · Views: 1
Question: some duplication here?
C:\Program Files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe
C:\Program Files\Clarus\Samsung Auto Backup\ISFTimerD.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe

Tell me about these files:
2010-06-15 16:08:48 9 ----a-w- C:\AMANDA_AmandaParm.tmp
2010-06-15 16:08:48 78 ----a-w- C:\AMANDA_GisData.tmp
2010-06-15 16:08:48 28 ----a-w- C:\AMANDA_GisCommand.tmp
===============================
Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=====================================
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Leave the logs in your next reply please.
 
Thanks for the quick reply Bobbye.

I'm not sure why there are two different exes for the Samsung Auto Backup, but those have always been there since I installed the software - long before I had any redirect problems.

The Symantec Ghost is apparently used by my agency to push out various updates or patches to individual computers.

The Amanda entries are from a project tracking program that we use and don't appear suspicious.

For this round of scans I managed to get McAfee disabled, but then it came back in the middle of the ComboFix scan. My IT department set it up to be very hard to disable and apparently something is going on to re-enable it as well. There were no apparent problems with ComboFix though.

The search link redirect problem is still happening. If it helps, the url that seems to come up most often during the redirect is "whattoseek.com".

Here are the ComboFix and ESET logs:

ComboFix 10-06-15.02 - BrannJ 06/15/2010 21:34:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2414 [GMT -7:00]
Running from: c:\documents and settings\brannj\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\win.ini
c:\windows\xpsp1hfm.log

----- BITS: Possible infected sites -----

hxxp://192.168.16.9
.
((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-14 23:23 . 2010-06-14 23:23 503808 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6f75b268-n\msvcp71.dll
2010-06-14 23:23 . 2010-06-14 23:23 499712 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6f75b268-n\jmc.dll
2010-06-14 23:23 . 2010-06-14 23:23 348160 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6f75b268-n\msvcr71.dll
2010-06-14 23:23 . 2010-06-14 23:23 61440 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-210cd5aa-n\decora-sse.dll
2010-06-14 23:23 . 2010-06-14 23:23 12800 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-210cd5aa-n\decora-d3d.dll
2010-06-14 23:09 . 2010-06-14 23:09 -------- d-----w- c:\program files\Common Files\Java
2010-06-14 23:06 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-14 22:51 . 2010-06-14 22:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-14 18:30 . 2010-06-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-14 18:30 . 2010-06-14 18:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-11 19:36 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-11 19:36 . 2010-06-11 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 19:36 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 00:13 . 2010-06-11 00:13 80896 ------w- c:\windows\system32\bfaa.sys
2010-06-11 00:06 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-11 00:06 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-11 00:06 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-11 00:06 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-06-09 15:28 . 2010-04-20 05:30 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-06-09 15:28 . 2010-03-05 14:37 65536 ------w- c:\windows\system32\dllcache\asycfilt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 18:59 . 2009-09-01 18:10 -------- d-----w- c:\program files\CyberPower PowerPanel Personal Edition
2010-06-14 23:12 . 2010-01-23 00:21 -------- d-----w- c:\documents and settings\brannj\Application Data\SanDisk
2010-06-14 23:06 . 2008-08-01 04:29 -------- d-----w- c:\program files\Java
2010-06-14 18:25 . 2009-07-16 16:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 17:06 . 2008-11-03 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-19 16:44 . 2008-08-01 04:34 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2009-04-29 15:30 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-03-26 08:48 . 2010-03-26 08:48 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-25 15:41 . 2009-08-20 18:04 5271657 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-11 1015808]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"EPSON_UD_START"="c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UD.exe" [2008-05-22 329632]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2009-12-25 206216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2010-02-18 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\brannj\Start Menu\Programs\Startup\
Samsung Auto Backup Guage.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFGuage.exe [2009-9-1 888832]
Samsung Auto Backup Real-Time Daemon.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe [2009-9-1 77824]
Samsung Auto Backup Scheduler.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFTimerD.exe [2009-9-1 94208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Evoluent Mouse Manager.lnk - c:\windows\Installer\{A8323EF0-1E8A-4385-93ED-F97963793042}\_3E7D7F8C756EC1A9420DE2.exe [2008-12-10 1150]
Notify.lnk - c:\novell\GroupWise\notify.exe [2007-6-6 192570]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-1116\Scripts\Logon\0\0]
"Script"=CentralServicesLogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-1620\Scripts\Logon\0\0]
"Script"=AmandaPerms.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-1620\Scripts\Logon\1\0]
"Script"=DevServLogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-5191\Scripts\Logon\0\0]
"Script"=AmandaPerms.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-5191\Scripts\Logon\1\0]
"Script"=RoadsLogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8638\Scripts\Logon\0\0]
"Script"=CSDCPerms.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8638\Scripts\Logon\1\0]
"Script"=DevServLogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logoff\0\0]
"Script"=Logofflog.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\0\0]
"Script"=Logonlog.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\1\0]
"Script"=ArcViewLR_PlanningDriveMap.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\2\0]
"Script"=ArcViewSANDriveMap.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\3\0]
"Script"=ArcViewLidarDriveMap.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\4\0]
"Script"=AmandaPerms.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\5\0]
"Script"=DevServLogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-04-03 23:44 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-04-04 05:32 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-09-25 14:12 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 20:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"HPWJAUpdateService"=2 (0x2)
"HPWJAService"=2 (0x2)
"gusvc"=2 (0x2)
"gupdate1c9a7e2e7f74102"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=

R1 bfaa;bfaa;c:\windows\system32\bfaa.sys [06/10/2010 5:13 PM 80896]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [06/20/2007 12:30 PM 79168]
R2 EMP_UDSA;EMP_UDSA;c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [06/24/2009 2:23 PM 94208]
R2 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [05/27/2009 4:27 AM 29262680]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [12/24/2009 10:51 PM 607624]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [06/24/2009 2:23 PM 17664]
R3 evomouflt;Evoluent Mouse Filter Service;c:\windows\system32\drivers\evomouflt.sys [12/26/2007 3:03 PM 15872]
S2 gupdate1c9a7e2e7f74102;Google Update Service (gupdate1c9a7e2e7f74102);c:\program files\Google\Update\GoogleUpdate.exe [03/18/2009 9:02 AM 133104]
S2 Laserfiche Snapshot Service 8;Laserfiche Snapshot Service 8;c:\program files\Laserfiche\Client 8\Snapshot 8\SnapshotService80.exe [06/27/2009 4:36 PM 29992]
S4 HPWJAService;HPWJA Service;c:\program files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [02/09/2009 3:27 PM 45056]
S4 HPWJAUpdateService;HP WJA Update Service;c:\program files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe [03/05/2009 12:45 PM 20480]
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 16:02]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://share/Pages/Default.aspx
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\brannj\Application Data\Mozilla\Firefox\Profiles\fe3x0zwt.default\
FF - prefs.js: browser.startup.homepage - hxxp://intra.co.thurston.wa.us/
FF - plugin: c:\program files\Common Files\Laserfiche\System\nplfplugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPE2Host.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Adobe Acrobat Connect Add-in - c:\documents and settings\brannj\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 21:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-15 21:40:21
ComboFix-quarantined-files.txt 2010-06-16 04:40

Pre-Run: 46,243,483,648 bytes free
Post-Run: 46,203,916,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - AB8F87B19DCE14865E5782EE19F048BA


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bf47f4b3bd1bf040929736f534ebdc61
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-16 05:55:54
# local_time=2010-06-15 10:55:54 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=187488
# found=0
# cleaned=0
# scan_time=3939
 
The Symantec Ghost is apparently used by my agency to push out various updates or patches to individual computers.

The Amanda entries are from a project tracking program that we use and don't appear suspicious.

My IT department set it up to be very hard to disable and apparently something is going on to re-enable it as well.
Click to expand...
Novell\\GroupWise:
GroupWise collaboration software is a premier collaboration tool for large enterprise.
Click to expand...
Josh, this is a work computer and you have an IT Department? I do not assist on work computers that have work-related programs active and who are covered by an IT department.
 
Status
Not open for further replies.

Similar threads

Shawn Knight
Google fully discontinues cache links in Search
Replies
9
Views
524
Tinderbox
Tinderbox
midian182
Google's AI-powered search can recommend malicious sites, including scams and malware
Replies
6
Views
143
James Ryan
J
D
Could Google charge a fee for AI search results? We don't think so.
Replies
16
Views
254
Ecurb
Ecurb

Latest posts

Back