Inactive URL Violations and cannot access search engines

Status
Not open for further replies.
K

kwright5953

I have a computer at work that cannot access any search engine, let alone google.com. Each time the employee tries to access the webpage, he receives the IE error, cannot connect message. I have seen others on this forum post with similar problems and have followed the virus/ malware steps listed in this forum. We are using Trend Micro Worry Free Business Security Suite, but it cannot eliminate this problem, but Trend Micro is successfully blocking the machines attempts to access numerous URLs, every 2 minutes or so. I would like to avoid doing a full hard drive wipe and reformat, if possible. Please advise and thank you in advance for any help.

Pasted Logs as follows:
Malwarebytes:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7766

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/21/2011 8:02:51 PM
mbam-log-2011-09-21 (20-02-51).txt

Scan type: Quick scan
Objects scanned: 315721
Time elapsed: 52 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\zcollins\local settings\Temp\5622.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\krcuet\setup.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
c:\documents and settings\zcollins\local settings\temporary internet files\Content.IE5\JC1UPAZZ\file[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\zcollins\local settings\temporary internet files\Content.IE5\XZPMFNR1\file[1].exe (Malware.Gen) -> Quarantined and deleted successfully.

GMER Log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-22 08:31:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250310AS rev.3.ADA
Running: gs2ih4bw.exe; Driver: C:\DOCUME~1\zcollins\LOCALS~1\Temp\uxldipob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86F0331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86F0331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86F0331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 86F0331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 86F0331B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86F0331B

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 86E8E121
Thread System [4:376] 86DFDB90

---- EOF - GMER 1.0.15 ----


DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by zcollins at 8:44:56 on 2011-09-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.496 [GMT -4:00]
.
AV: Trend Micro Security Agent *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.highpointengineering.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080624
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.6.1165\6.6.1081\TmIEPlg.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\zcollins\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {13AEBFDE-CA17-4423-AADE-59BD76C7BDA7} - hxxps://www51.dot.ny.gov/mft/upload/activex_packager.ocx
DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} - hxxps://projects.bovislendlease.com/pw/mpsPwLc7.CAB
DPF: {88448E4B-4286-401F-BB90-A1765E8B104C} - hxxps://www51.dot.ny.gov/mft/LiteCopy/lc_client_activex.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - hxxp://www.ads-pipe.com/dwf/DwfViewerSetup.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://www.realquest.com/mapviewer/mapviewer.cab
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.6.1165\6.6.1081\TmIEPlg.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\security agent\uiframework\ProToolbarIMRatingActiveX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
Hosts: 74.55.76.230 www.google-analytics.com.
Hosts: 74.55.76.230 ad-emea.doubleclick.net.
Hosts: 74.55.76.230 www.statcounter.com.
.
============= SERVICES / DRIVERS ===============
.
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2011-9-8 736672]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-9-14 65296]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-9-14 196320]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-23 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== File Associations ===============
.
.scr=AutoCADLTScriptFile
.
=============== Created Last 30 ================
.
2011-09-22 12:41:18 607260 ------r- C:\dds.scr
2011-09-21 22:16:44 -------- d-----w- c:\documents and settings\zcollins\application data\Malwarebytes
2011-09-21 22:16:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-21 22:16:26 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-21 22:16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-21 15:19:19 -------- d-----w- C:\sh4ldr
2011-09-21 15:19:19 -------- d-----w- c:\program files\Enigma Software Group
2011-09-21 15:18:17 -------- d-----w- c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP
2011-09-21 15:18:10 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-09-15 12:42:25 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-09-14 05:00:21 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-09-14 05:00:21 65296 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-09-14 05:00:21 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-14 04:58:54 -------- d-----w- c:\program files\Trend Micro
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-25 20:25:09 -------- d-----w- c:\program files\CEES
2011-08-24 21:38:51 -------- d-----w- c:\documents and settings\zcollins\local settings\application data\Check
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250310AS rev.3.ADA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F034D0]<< >>UNKNOWN [0x86E2B5B9]<<
_asm { INT 3 ; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f097d0]; MOV EAX, [0x86f0984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F70AB8]
3 CLASSPNP[0xF7643FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006a[0x86FE2400]
5 ACPI[0xF74CA620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F82940]
\Driver\atapi[0x86F4FB58] -> IRP_MJ_CREATE -> 0x86F034D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0331B
NDIS: Intel(R) 82562V-2 10/100 Network Connection -> SendHandler -> 0x867492a0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:46:32.70 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/11/2008 10:29:47 AM
System Uptime: 9/21/2011 8:04:46 PM (12 hours ago)
.
Motherboard: Dell Inc. | | 0RY007
Processor: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz | Socket 775 | 1995/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 229 GiB total, 191.224 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP791: 6/25/2011 1:14:37 AM - System Checkpoint
RP792: 6/26/2011 7:14:41 AM - System Checkpoint
RP793: 6/27/2011 7:08:24 PM - System Checkpoint
RP794: 6/28/2011 7:14:50 PM - System Checkpoint
RP795: 6/29/2011 1:00:45 PM - Software Distribution Service 3.0
RP796: 6/30/2011 7:39:28 PM - System Checkpoint
RP797: 7/2/2011 1:35:54 AM - System Checkpoint
RP798: 7/3/2011 7:35:55 AM - System Checkpoint
RP799: 7/4/2011 1:23:58 PM - System Checkpoint
RP800: 7/5/2011 7:25:09 PM - System Checkpoint
RP801: 7/7/2011 1:24:05 AM - System Checkpoint
RP802: 7/8/2011 7:36:10 AM - System Checkpoint
RP803: 7/9/2011 1:24:14 PM - System Checkpoint
RP804: 7/10/2011 7:24:13 PM - System Checkpoint
RP805: 7/12/2011 1:24:18 AM - System Checkpoint
RP806: 7/13/2011 7:36:21 AM - System Checkpoint
RP807: 7/13/2011 1:00:33 PM - Software Distribution Service 3.0
RP808: 7/14/2011 4:02:48 PM - System Checkpoint
RP809: 7/15/2011 9:22:39 PM - System Checkpoint
RP810: 7/17/2011 3:22:40 AM - System Checkpoint
RP811: 7/18/2011 9:34:08 AM - System Checkpoint
RP812: 7/19/2011 6:29:57 PM - System Checkpoint
RP813: 7/20/2011 6:49:38 PM - System Checkpoint
RP814: 7/22/2011 3:10:52 AM - System Checkpoint
RP815: 7/23/2011 9:22:58 AM - System Checkpoint
RP816: 7/24/2011 3:10:57 PM - System Checkpoint
RP817: 7/25/2011 6:07:28 PM - System Checkpoint
RP818: 7/26/2011 6:37:05 PM - System Checkpoint
RP819: 7/27/2011 10:30:43 PM - System Checkpoint
RP820: 7/28/2011 9:26:22 AM - Installed HP Web Registration
RP821: 7/29/2011 5:56:23 PM - System Checkpoint
RP822: 7/30/2011 6:26:06 PM - System Checkpoint
RP823: 7/31/2011 7:23:10 PM - System Checkpoint
RP824: 8/1/2011 3:07:46 PM - Installed Meridian Systems Prolog WebSite 2008 Client (HF1).
RP825: 8/2/2011 7:55:47 PM - System Checkpoint
RP826: 8/3/2011 8:23:07 PM - System Checkpoint
RP827: 8/4/2011 8:43:03 PM - System Checkpoint
RP828: 8/5/2011 9:35:13 PM - System Checkpoint
RP829: 8/6/2011 10:23:10 PM - System Checkpoint
RP830: 8/7/2011 11:23:13 PM - System Checkpoint
RP831: 8/8/2011 2:02:54 PM - Installed ReConWall
RP832: 8/9/2011 6:00:34 PM - System Checkpoint
RP833: 8/10/2011 6:49:56 PM - System Checkpoint
RP834: 8/12/2011 12:32:54 AM - System Checkpoint
RP835: 8/13/2011 6:21:01 AM - System Checkpoint
RP836: 8/13/2011 9:00:19 PM - Software Distribution Service 3.0
RP837: 8/15/2011 3:29:43 AM - System Checkpoint
RP838: 8/16/2011 12:13:13 PM - System Checkpoint
RP839: 8/17/2011 6:01:58 PM - System Checkpoint
RP840: 8/18/2011 9:41:57 PM - System Checkpoint
RP841: 8/20/2011 3:29:59 AM - System Checkpoint
RP842: 8/21/2011 9:54:34 AM - System Checkpoint
RP843: 8/22/2011 7:48:45 PM - System Checkpoint
RP844: 8/23/2011 9:42:10 PM - System Checkpoint
RP845: 8/25/2011 3:50:10 AM - System Checkpoint
RP846: 8/25/2011 4:25:07 PM - Installed CEES
RP847: 8/26/2011 7:30:17 PM - System Checkpoint
RP848: 8/27/2011 9:00:21 PM - Software Distribution Service 3.0
RP849: 8/30/2011 12:10:33 PM - System Checkpoint
RP850: 8/31/2011 1:48:04 PM - System Checkpoint
RP851: 9/1/2011 4:57:53 PM - System Checkpoint
RP852: 9/2/2011 5:33:33 PM - System Checkpoint
RP853: 9/3/2011 6:47:48 PM - System Checkpoint
RP854: 9/5/2011 12:47:51 AM - System Checkpoint
RP855: 9/6/2011 6:47:56 AM - System Checkpoint
RP856: 9/7/2011 9:52:46 PM - Software Distribution Service 3.0
RP857: 9/9/2011 4:30:09 AM - System Checkpoint
RP858: 9/10/2011 10:30:12 AM - System Checkpoint
RP859: 9/11/2011 4:30:12 PM - System Checkpoint
RP860: 9/12/2011 6:16:00 PM - System Checkpoint
RP861: 9/13/2011 10:07:34 PM - System Checkpoint
RP862: 9/14/2011 7:02:40 PM - Software Distribution Service 3.0
RP863: 9/15/2011 7:11:35 PM - System Checkpoint
RP864: 9/17/2011 12:54:28 AM - System Checkpoint
RP865: 9/18/2011 6:42:27 AM - System Checkpoint
RP866: 9/19/2011 2:20:09 PM - System Checkpoint
RP867: 9/20/2011 4:04:42 PM - System Checkpoint
RP868: 9/21/2011 11:19:18 AM - Installed SpyHunter
RP869: 9/21/2011 1:24:36 PM - Removed Browser Address Error Redirector.
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
APC PowerChute Personal Edition
ArcGIS ArcReader
AutoCAD LT 2005 - English
Autodesk 2005 OE Hotfix
Autodesk Architectural 2005 Object Enabler
Autodesk DWF Viewer
Autodesk Land 2005 Object Enabler
CEES
COMcheck 3.7.0
COMcheck 3.8.2
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
CutePDF Writer 2.7
Dell Driver Reset Tool
Dell Support Center (Support Software)
Dell System Restore
Digital Line Detect
Documentation & Support Launcher
FileOpen Client
Games, Music, & Photos Launcher
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
GoToAssist 8.0.0.514
GPL Ghostscript 8.62
GPL Ghostscript Fonts
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Designjet 510 Printer Series
HP Web Registration
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Japanese Fonts Support For Adobe Reader 9
Java(TM) 6 Update 5
KIP Request 7
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.2.1300
Meridian Systems Prolog WebSite 2008 Client (HF1)
Meridian Systems Prolog Website 2008 File Management Control (HF1)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Musicmatch for Windows Media Player
NetWaiting
PowerDVD
Realtek High Definition Audio Driver
ReConWall
REScheck 4.3.1
RK CutterBanker 3
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
RxFilters3D
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SpyHunter
Trend Micro Worry-Free Business Security Agent
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WorkgroupShare Client
.
==== Event Viewer Messages From Past Week ========
.
9/22/2011 8:28:46 AM, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b
9/22/2011 8:24:49 AM, error: NETLOGON [5719] - No Domain Controller is available for domain HIGHPOINT due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
9/21/2011 8:06:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
9/21/2011 3:26:56 PM, error: Service Control Manager [7034] - The SpyHunter 4 Service service terminated unexpectedly. It has done this 1 time(s).
9/21/2011 2:59:12 PM, error: Service Control Manager [7000] - The DameWare Mini Remote Control service failed to start due to the following error: The system cannot find the file specified.
9/21/2011 1:31:15 PM, error: Service Control Manager [7034] - The DameWare Mini Remote Control service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
Welcome to TechSpot! It is no wonder the employee is having problems:
1. There is a rootkit on the system.
2. There is a Backdoor.IRCBot on the system>
3. Java is outdated and there will be malware in the Java cache.
4. It appears that at least some of the reasons he can't access is because of:
9/22/2011 8:24:49 AM, error: NETLOGON [5719] - No Domain Controller is available for domain HIGHPOINT due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
======================================
#2. What is a Backdoor.bot?
This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a piece of code in kernel mode (by gaining access to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service under the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
- The worm has the ability to spread via:
o USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy.
Click to expand...
And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
  1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
  2. Data theft (e.g. retrieving passwords or credit card information)
  3. Installation of software, including third-party malware
  4. Downloading or uploading of files on the user's computer
  5. Modification or deletion of files
  6. Keystroke logging
  7. Watching the user's screen
  8. Wasting the computer's storage space
  9. Crashing the computer

Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?
 
Thanks for the response Bobbye. I was hoping there may be a chance to remove whatever malware/viruses on the machine w/o a reformat, but as I figured, it seems that is the best move right now. Thanks again for your help!
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
793
uber_beetle
uber_beetle
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
391
trparky
T
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back