BleepingComputer.com: Windows can not find NIRKMD

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Windows can not find NIRKMD

#1 User is offline   Dolphin0 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 02-June 11

Posted 02 June 2011 - 06:32 AM

Hi,
I am running a combofix on a machine. It is keep showing me the message "Windows cannot find NIRKMD, make sure you typed the name correctly.."

It does not continue the steps unless i press OK.

I am running combofix on XP machine - SP3. please let me know if you need any more information.

I have run comboifix on different machine without any issues.

I cannot find any help on NIRKMD on internet. I also would like to know what it is and what does it do?

Please guide me through the right direction..

Many thanks in advance.

Hi Andrew,
I have noticed that you have moved my post, so i guess i opened it under the wrong topic.

Do you want me to run combofix, just to inform you that it does not let me run it unless i press ok to NIRKMD message as mentioned in the above thread.

I wil try and run it again, as it is on somone else's PC at work, i have to wait till they let me have their PC to run the scan.I will post the result asap.
thanks

please find my scan report.

ComboFix 11-06-01.07 - 02/06/2011 9:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1454 [GMT 1:00]
Running from: c:\documents and settings\Desktop\ComboFix.exe
Command switches used :: /u
AV: McAfeeŽ Security-as-a-Service Anti-virus *Disabled/Updated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.HAP\WINDOWS
c:\windows\system32\bin
.
.
((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
.
.
2011-05-31 06:39 . 2011-05-31 06:39 8321 ----a-w- c:\windows\system32\drivers\CDProbe.SYS
2011-05-23 07:34 . 2011-05-23 07:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2011-05-09 16:22 . 2011-05-09 16:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 08:31 . 2009-05-15 07:36 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-05-31 06:39 . 2009-05-15 07:36 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-05-31 06:39 . 2009-05-13 08:16 57752 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-02-05 17:39 . 2008-02-05 17:38 28868320 ----a-w- c:\program files\FileFormatConverters.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\anthonyd\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\anthonyd\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\anthonyd\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\anthonyd\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-14 39408]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 178712]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2011-01-25 476480]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2009-05-30 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\anthonyd\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\anthonyd\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-2353\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-2354\Scripts\Logon\0\0]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-2354\Scripts\Logon\0\1]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7340\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7340\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7340\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7340\Scripts\Logon\0\3]
"Script"=Disableproxy.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7378\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7378\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7378\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7383\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-7383\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8141\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8141\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8141\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8215\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8215\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8215\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8215\Scripts\Logon\0\3]
"Script"=Disableproxy.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8215\Scripts\Logon\0\4]
"Script"=Outlook 2011 Global settings.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8296\Scripts\Logon\0\0]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8296\Scripts\Logon\0\1]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8677\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8677\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8677\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8679\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8679\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8679\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8899\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8899\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-885222611-2063553274-1082013118-8899\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-500\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-500\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7778\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7778\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7778\Scripts\Logon\0\2]
"Script"=Messenger.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7778\Scripts\Logon\0\3]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7791\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7791\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7791\Scripts\Logon\0\2]
"Script"=Messenger.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7791\Scripts\Logon\0\3]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7815\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7815\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7829\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7829\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-7829\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-8590\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-8590\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-8590\Scripts\Logon\0\2]
"Script"=Audit.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-8590\Scripts\Logon\0\3]
"Script"=Messenger.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-8638\Scripts\Logon\0\0]
"Script"=Logonscript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-914559495-1175209041-6498272-8638\Scripts\Logon\0\1]
"Script"=MNDUserName.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 18:00 26624]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/08/2010 14:55 88544]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [23/01/2007 04:58 133968]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [15/10/2010 15:44 324928]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [05/01/2011 10:20 145936]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [16/02/2011 10:23 291064]
R2 RumorServer;McAfee Peer Distribution Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [16/02/2011 10:23 291064]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [16/10/2008 10:49 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [16/10/2008 10:49 217088]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [31/05/2011 07:39 8321]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 18:00 2944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 22:37 4640000]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17/03/2010 19:05 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [17/03/2010 19:05 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/08/2010 14:55 85152]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 11:25 30969208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/08/2004 18:00 14336]
S4 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [24/01/2008 16:21 4064]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASFALRT
*Deregistered* - AsfAlrt
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
2011-05-18 c:\windows\Tasks\FileCure Default.job
- c:\program files\ParetoLogic\FileCure\FileCure.exe [2011-03-01 23:00]
.
2011-05-31 c:\windows\Tasks\FileCure Startup.job
- c:\program files\ParetoLogic\FileCure\FileCure.exe [2011-03-01 23:00]
.
2011-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 18:05]
.
2011-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 18:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: google.com\picasa
TCP: DhcpNameServer = 194.11.5.35 194.11.5.32
DPF: {4A224399-F178-4816-8CDD-65873E3B92A5} - hxxps://cognos.dmsp.com/cognos/contributor/controls/clientFull73.cab
DPF: {57D60ED1-AFA0-47C3-A850-723896923971} - hxxps://cognos.dmsp.com/cognos/contributor/controls/epcWebInstaller73.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-DameWare MRC Agent - c:\windows\system32\DWRCST.exe
AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-02 09:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(7656)
c:\windows\system32\WININET.dll
c:\documents and settings\anthonyd\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-02 10:00:51
ComboFix-quarantined-files.txt 2011-06-02 09:00
.
Pre-Run: 30,017,355,776 bytes free
Post-Run: 40,031,543,296 bytes free
.
- - End Of File - - 8E3A19D887328792035D826110B10F29

Mod Edit: Merged posts, moved topic from AII to MRL ~ Hamluis.

Hi,

Can you please provide any update on this issue as now I have had few machines showing the same message "Windows cannot find NIRKMD".
Thanks

EDIT: Please be patient. There are over 330 unanswered topics in this forum at present and the current average wait time to receive help is 10 days. ~Budapest

This post has been edited by Budapest: 07 June 2011 - 04:12 PM
Reason for edit: Mod Edit: Moved From MRL To AII - AA

#2 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 11 June 2011 - 07:34 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.


  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#3 User is offline   Dolphin0 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 02-June 11

Posted 13 June 2011 - 02:18 AM

Hi M0le,
thanks for looking into this.

#4 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 14 June 2011 - 03:05 PM

This maybe due to McAfee not being completely disabled before you downloaded and ran Combofix.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Now redownload Combofix

Please download ComboFix from one of these locations:
Now boot into safe mode

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode with networking.
Make sure you choose the option without networking support.
Please see here for additional details.

Now attempt to run Combofix again. The message should not appear this time.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#5 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 19 June 2011 - 06:36 AM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#6 User is offline   Dolphin0 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 02-June 11

Posted 20 June 2011 - 05:27 AM

Hi M0le,

Thanks for your help. It seems to work fine now.

Thanks again.

#7 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,114
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 20 June 2011 - 06:32 PM

:thumbup2:
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users