TechSpot

Search links hijacked

By joshbtc
Jun 15, 2010
  1. Hi, last week I started getting random redirects from the links in search engine results (tried Google, Yahoo) in both FireFox and IE. I did full system scans with McAfee, Malwarebytes, and Spybot S&D (all of which turned up nothing) before coming across the TechSpot forums. I did find a program called "SearchAssist" in Add/Remove Programs that I had not seen before or knowingly installed, so I removed that.

    Anyway, I have since gone through the 8-step instructions and I am attaching my results here. The DDS Attach.txt file is zipped as instructed by the program. Please note that I was blocked from disabling McAfee's On-Access Scanner when running the diagnostics, but there didn't seem to be any conflicts.

    I would greatly appreciate any help that anyone can offer. I'm at my wit's end!

    Thanks,
    Josh
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Question: some duplication here?
    C:\Program Files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe
    C:\Program Files\Clarus\Samsung Auto Backup\ISFTimerD.exe
    C:\Program Files\Symantec\Ghost\ngctw32.exe


    Tell me about these files:
    2010-06-15 16:08:48 9 ----a-w- C:\AMANDA_AmandaParm.tmp
    2010-06-15 16:08:48 78 ----a-w- C:\AMANDA_GisData.tmp
    2010-06-15 16:08:48 28 ----a-w- C:\AMANDA_GisCommand.tmp

    ===============================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Leave the logs in your next reply please.
     
  3. joshbtc

    joshbtc TS Rookie Topic Starter

    Thanks for the quick reply Bobbye.

    I'm not sure why there are two different exes for the Samsung Auto Backup, but those have always been there since I installed the software - long before I had any redirect problems.

    The Symantec Ghost is apparently used by my agency to push out various updates or patches to individual computers.

    The Amanda entries are from a project tracking program that we use and don't appear suspicious.

    For this round of scans I managed to get McAfee disabled, but then it came back in the middle of the ComboFix scan. My IT department set it up to be very hard to disable and apparently something is going on to re-enable it as well. There were no apparent problems with ComboFix though.

    The search link redirect problem is still happening. If it helps, the url that seems to come up most often during the redirect is "whattoseek.com".

    Here are the ComboFix and ESET logs:

    ComboFix 10-06-15.02 - BrannJ 06/15/2010 21:34:53.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2414 [GMT -7:00]
    Running from: c:\documents and settings\brannj\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\windows\system32\win.ini
    c:\windows\xpsp1hfm.log

    ----- BITS: Possible infected sites -----

    hxxp://192.168.16.9
    .
    ((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
    .

    2010-06-14 23:23 . 2010-06-14 23:23 503808 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6f75b268-n\msvcp71.dll
    2010-06-14 23:23 . 2010-06-14 23:23 499712 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6f75b268-n\jmc.dll
    2010-06-14 23:23 . 2010-06-14 23:23 348160 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6f75b268-n\msvcr71.dll
    2010-06-14 23:23 . 2010-06-14 23:23 61440 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-210cd5aa-n\decora-sse.dll
    2010-06-14 23:23 . 2010-06-14 23:23 12800 ----a-w- c:\documents and settings\brannj\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-210cd5aa-n\decora-d3d.dll
    2010-06-14 23:09 . 2010-06-14 23:09 -------- d-----w- c:\program files\Common Files\Java
    2010-06-14 23:06 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-14 22:51 . 2010-06-14 22:58 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-06-14 18:30 . 2010-06-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-06-14 18:30 . 2010-06-14 18:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-06-11 19:36 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-11 19:36 . 2010-06-11 19:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-11 19:36 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-11 00:13 . 2010-06-11 00:13 80896 ------w- c:\windows\system32\bfaa.sys
    2010-06-11 00:06 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2010-06-11 00:06 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
    2010-06-11 00:06 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2010-06-11 00:06 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2010-06-09 15:28 . 2010-04-20 05:30 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
    2010-06-09 15:28 . 2010-03-05 14:37 65536 ------w- c:\windows\system32\dllcache\asycfilt.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-15 18:59 . 2009-09-01 18:10 -------- d-----w- c:\program files\CyberPower PowerPanel Personal Edition
    2010-06-14 23:12 . 2010-01-23 00:21 -------- d-----w- c:\documents and settings\brannj\Application Data\SanDisk
    2010-06-14 23:06 . 2008-08-01 04:29 -------- d-----w- c:\program files\Java
    2010-06-14 18:25 . 2009-07-16 16:25 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-10 17:06 . 2008-11-03 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-05-19 16:44 . 2008-08-01 04:34 -------- d-----w- c:\program files\Google
    2010-05-02 05:22 . 2004-08-11 22:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-16 16:09 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-04-16 16:09 . 2009-04-29 15:30 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-26 08:48 . 2010-03-26 08:48 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
    2010-03-25 15:41 . 2009-08-20 18:04 5271657 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
    "PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-11 1015808]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
    "EPSON_UD_START"="c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UD.exe" [2008-05-22 329632]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2009-12-25 206216]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2010-02-18 136512]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    c:\documents and settings\brannj\Start Menu\Programs\Startup\
    Samsung Auto Backup Guage.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFGuage.exe [2009-9-1 888832]
    Samsung Auto Backup Real-Time Daemon.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe [2009-9-1 77824]
    Samsung Auto Backup Scheduler.lnk - c:\program files\Clarus\Samsung Auto Backup\ISFTimerD.exe [2009-9-1 94208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Evoluent Mouse Manager.lnk - c:\windows\Installer\{A8323EF0-1E8A-4385-93ED-F97963793042}\_3E7D7F8C756EC1A9420DE2.exe [2008-12-10 1150]
    Notify.lnk - c:\novell\GroupWise\notify.exe [2007-6-6 192570]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-1116\Scripts\Logon\0\0]
    "Script"=CentralServicesLogin.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-1620\Scripts\Logon\0\0]
    "Script"=AmandaPerms.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-1620\Scripts\Logon\1\0]
    "Script"=DevServLogin.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-5191\Scripts\Logon\0\0]
    "Script"=AmandaPerms.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-5191\Scripts\Logon\1\0]
    "Script"=RoadsLogin.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8638\Scripts\Logon\0\0]
    "Script"=CSDCPerms.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8638\Scripts\Logon\1\0]
    "Script"=DevServLogin.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logoff\0\0]
    "Script"=Logofflog.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\0\0]
    "Script"=Logonlog.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\1\0]
    "Script"=ArcViewLR_PlanningDriveMap.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\2\0]
    "Script"=ArcViewSANDriveMap.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\3\0]
    "Script"=ArcViewLidarDriveMap.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\4\0]
    "Script"=AmandaPerms.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3623583912-3782946849-3472868662-8733\Scripts\Logon\5\0]
    "Script"=DevServLogin.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2010-04-03 23:44 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
    2010-04-04 05:32 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    2006-09-25 14:12 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2007-10-03 20:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "JavaQuickStarterService"=2 (0x2)
    "HPWJAUpdateService"=2 (0x2)
    "HPWJAService"=2 (0x2)
    "gusvc"=2 (0x2)
    "gupdate1c9a7e2e7f74102"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "Adobe LM Service"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Novell\\GroupWise\\grpwise.exe"=
    "c:\\Novell\\GroupWise\\notify.exe"=
    "c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=

    R1 bfaa;bfaa;c:\windows\system32\bfaa.sys [06/10/2010 5:13 PM 80896]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [06/20/2007 12:30 PM 79168]
    R2 EMP_UDSA;EMP_UDSA;c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [06/24/2009 2:23 PM 94208]
    R2 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [05/27/2009 4:27 AM 29262680]
    R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [12/24/2009 10:51 PM 607624]
    R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [06/24/2009 2:23 PM 17664]
    R3 evomouflt;Evoluent Mouse Filter Service;c:\windows\system32\drivers\evomouflt.sys [12/26/2007 3:03 PM 15872]
    S2 gupdate1c9a7e2e7f74102;Google Update Service (gupdate1c9a7e2e7f74102);c:\program files\Google\Update\GoogleUpdate.exe [03/18/2009 9:02 AM 133104]
    S2 Laserfiche Snapshot Service 8;Laserfiche Snapshot Service 8;c:\program files\Laserfiche\Client 8\Snapshot 8\SnapshotService80.exe [06/27/2009 4:36 PM 29992]
    S4 HPWJAService;HPWJA Service;c:\program files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [02/09/2009 3:27 PM 45056]
    S4 HPWJAUpdateService;HP WJA Update Service;c:\program files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe [03/05/2009 12:45 PM 20480]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 16:02]

    2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-18 16:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://share/Pages/Default.aspx
    mStart Page = hxxp://www.dell.com
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\brannj\Application Data\Mozilla\Firefox\Profiles\fe3x0zwt.default\
    FF - prefs.js: browser.startup.homepage - hxxp://intra.co.thurston.wa.us/
    FF - plugin: c:\program files\Common Files\Laserfiche\System\nplfplugin.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPE2Host.dll
    FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    AddRemove-Adobe Acrobat Connect Add-in - c:\documents and settings\brannj\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-15 21:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-06-15 21:40:21
    ComboFix-quarantined-files.txt 2010-06-16 04:40

    Pre-Run: 46,243,483,648 bytes free
    Post-Run: 46,203,916,288 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - AB8F87B19DCE14865E5782EE19F048BA


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=bf47f4b3bd1bf040929736f534ebdc61
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-06-16 05:55:54
    # local_time=2010-06-15 10:55:54 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=187488
    # found=0
    # cleaned=0
    # scan_time=3939
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Novell\\GroupWise:
    Josh, this is a work computer and you have an IT Department? I do not assist on work computers that have work-related programs active and who are covered by an IT department.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...