Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to remove Total Security Protection Center


  • Please log in to reply
15 replies to this topic

#1 clide

clide

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 11 September 2009 - 11:23 AM

Total Security Protection Center keeps popping up again and again. I've tried to remove it and it keeps coming back; can't be removed with normal "Change/Remove" on the control panel. I found bleepingcomputer on a Google search and followed all the instructions that led to downloading something to shut it off and then downloading Malwarebytes' program that seemed to remove some stuff, but not this problem. Still there. The last item said that if still a problem to go through these steps to post the problem. Hoping this will help and appreciate your time. Will now follow the steps to post the txt files that were created and hope I get those on correctly.


DDS (Ver_09-07-30.01) - NTFSx86
Run by CESHBAUGH at 8:52:35.15 on Wed 09/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2003.1262 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6087v035\wdm\stacsv.exe
svchost.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\rpcld.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Documents and Settings\CESHBAUGH\Desktop\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TS\tsc.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Documents and Settings\CESHBAUGH\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: System=ziswin.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TS] c:\program files\ts\tsc.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [NWTRAY] NWTRAY.EXE
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
Trusted Zone: 4medica.com
Trusted Zone: 4medica.net
Trusted Zone: aaet.info
Trusted Zone: abret.org
Trusted Zone: afponline.org
Trusted Zone: allergan.com
Trusted Zone: aset.org
Trusted Zone: cardinal.com
Trusted Zone: cdc.gov
Trusted Zone: cmecourses.com
Trusted Zone: doweaver.com
Trusted Zone: edmweb
Trusted Zone: fda.gov
Trusted Zone: greatplacetowork.com\www
Trusted Zone: healthstream.com\www
Trusted Zone: ibexp
Trusted Zone: imageweb
Trusted Zone: imedris.net
Trusted Zone: imedris.net\sw
Trusted Zone: immunize.org
Trusted Zone: imredres.net
Trusted Zone: Infgw01
Trusted Zone: live.com\login
Trusted Zone: malichai
Trusted Zone: medco.com
Trusted Zone: medicaider.com
Trusted Zone: metftp
Trusted Zone: microsoft.com
Trusted Zone: msdn.com
Trusted Zone: msn.com
Trusted Zone: mycmsc.com
Trusted Zone: mycmsc.com\swthrms
Trusted Zone: netaccesse
Trusted Zone: oasgoldprod
Trusted Zone: pacsweb
Trusted Zone: payflex.com\ftp
Trusted Zone: periop-www4
Trusted Zone: perryop.com
Trusted Zone: pressganey.com
Trusted Zone: ptcny.com
Trusted Zone: smsnar2
Trusted Zone: smsnarstage
Trusted Zone: smsnarstorage
Trusted Zone: state.tx.us\khc.tdh
Trusted Zone: sw.org
Trusted Zone: sw.org\*.swntdomain
Trusted Zone: sw.org\epremis-public
Trusted Zone: sw.org\epremis-support
Trusted Zone: sw.org\epremis-web
Trusted Zone: swhp.org
Trusted Zone: tmhsi.net
Trusted Zone: vanguard.com\ftp
Trusted Zone: wvgtwy01
Trusted Zone: 4medica.com
Trusted Zone: 4medica.net
Trusted Zone: aaet.info
Trusted Zone: abret.org
Trusted Zone: afponline.org
Trusted Zone: allergan.com
Trusted Zone: aset.org
Trusted Zone: cardinal.com
Trusted Zone: cdc.gov
Trusted Zone: cmecourses.com
Trusted Zone: doweaver.com
Trusted Zone: edmweb
Trusted Zone: fda.gov
Trusted Zone: greatplacetowork.com\www
Trusted Zone: healthstream.com\www
Trusted Zone: ibexp
Trusted Zone: imageweb
Trusted Zone: imedris.net
Trusted Zone: imedris.net\sw
Trusted Zone: immunize.org
Trusted Zone: imredres.net
Trusted Zone: Infgw01
Trusted Zone: live.com\login
Trusted Zone: malichai
Trusted Zone: medco.com
Trusted Zone: medicaider.com
Trusted Zone: metftp
Trusted Zone: microsoft.com
Trusted Zone: mycmsc.com
Trusted Zone: mycmsc.com\swthrms
Trusted Zone: netaccesse
Trusted Zone: oasgoldprod
Trusted Zone: pacsweb
Trusted Zone: payflex.com\ftp
Trusted Zone: periop-www4
Trusted Zone: perryop.com
Trusted Zone: pressganey.com
Trusted Zone: ptcny.com
Trusted Zone: smsnar2
Trusted Zone: smsnarstage
Trusted Zone: smsnarstorage
Trusted Zone: state.tx.us\khc.tdh
Trusted Zone: sw.org
Trusted Zone: sw.org\*.swntdomain
Trusted Zone: sw.org\epremis-public
Trusted Zone: sw.org\epremis-support
Trusted Zone: sw.org\epremis-web
Trusted Zone: swhp.org
Trusted Zone: tmhsi.net
Trusted Zone: vanguard.com\ftp
Trusted Zone: wvgtwy01
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
SEH: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = SbNp scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ceshba~1\applic~1\mozilla\firefox\profiles\65y8piud.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-23 342128]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-6-23 103760]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44976]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-6-23 6496]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-6-23 33328]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-6-23 34480]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-6-23 15248]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2008-12-18 33664]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-5-23 6899]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-4-29 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-16 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-4-29 144888]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-4-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-8-27 70216]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 167936]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\windows\system32\rpcld.exe [2009-5-7 181608]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-6-23 380988]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-10-1 90112]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-12-18 112128]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-5-23 2773]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-25 110080]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-8 38160]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-23 91640]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-23 43288]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-8-27 65224]

=============== Created Last 30 ================

2009-09-09 08:52 <DIR> --d----- c:\temp\RarSFX0
2009-09-09 08:28 16,384 a------t c:\temp\Perflib_Perfdata_474.dat
2009-09-08 15:14 <DIR> --d----- c:\docume~1\ceshba~1\applic~1\Malwarebytes
2009-09-08 15:14 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 15:14 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 15:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-08 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 12:56 <DIR> --d----- c:\program files\common files\TSUninstall
2009-09-08 12:56 <DIR> --d----- c:\program files\TS
2009-09-01 09:59 <DIR> --d----- c:\temp\hsperfdata_CESHBAUGH
2009-08-28 08:21 <DIR> --d----- c:\temp\gwprint
2009-08-27 13:22 70,216 a------- c:\windows\system32\mfevtps.exe
2009-08-27 13:22 65,224 a------- c:\windows\system32\drivers\mferkdet.sys
2009-08-26 10:09 <DIR> --d----- c:\temp\Word8.0

==================== Find3M ====================

2009-09-08 16:24 56,680 a------- c:\windows\system32\rpcnet.dll
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 11:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 11:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 13:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 13:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 13:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 13:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 13:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 13:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 13:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 13:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 13:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 13:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 13:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 13:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-25 03:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 03:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-22 06:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 06:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 06:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 06:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 06:50 76,288 a------- c:\windows\system32\telnet.exe

============= FINISH: 8:53:00.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 20 September 2009 - 05:49 PM

hi clide,

Sorry for delay, no shortage of posters. If you still need help with the malware reply to the post.

How Can I Reduce My Risk to Malware?


#3 clide

clide
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 21 September 2009 - 08:03 AM

Yes, still having problems. Any advice on what I should do now after I've done what I've posted? Thanks for your time.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 21 September 2009 - 04:22 PM

hi,

ok we will get a download to use. Its called combofix. There is a guide you need to read first. Read through the guide, download combofix to your desktop, disable your AV etc as explained in the guide. Click the icon and follow the prompts. Post the log from combofix in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 clide

clide
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 22 September 2009 - 01:00 PM

Done. Here it is. Thank you again for your time.

Attached Files

  • Attached File  log.txt   20.3KB   14 downloads


#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 22 September 2009 - 02:37 PM

i posted the log in for easier viewing:

ComboFix 09-09-21.04 - CESHBAUGH 09/22/2009 12:20.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2003.1389 [GMT -5:00]
Running from: c:\documents and settings\CESHBAUGH\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-1614895754-1563985344-725345543-500
c:\temp\kbiwkmnqqojqycok.tmp
c:\temp\kbiwkmseqwmivkos.tmp
c:\windows\Installer\f6a4.msi
c:\windows\system32\drivers\kbiwkmxjcmjvnk.sys
c:\windows\system32\kbiwkmeycbavkd.dll
c:\windows\system32\kbiwkmoeuwqaqm.dat
c:\windows\system32\kbiwkmoyrgdciu.dll
c:\windows\system32\kbiwkmpvqoxlhi.dat
c:\windows\system32\kbiwkmxxbkpuwq.dll

----- BITS: Possible infected sites -----

hxxp://malichai
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gxvxcserv.sys
-------\Legacy_kbiwkmmtkfuexb
-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-22 17:49 . 2009-09-22 17:49 53248 ----a-w- c:\temp\catchme.dll
2009-09-21 21:22 . 2009-09-21 21:22 -------- d-----w- c:\temp\msohtml1
2009-09-21 21:22 . 2009-09-21 21:22 -------- d-----w- c:\temp\msohtml
2009-09-09 13:52 . 2009-09-09 13:54 -------- d-----w- c:\temp\RarSFX0
2009-09-08 20:14 . 2009-09-08 20:14 -------- d-----w- c:\documents and settings\CESHBAUGH\Application Data\Malwarebytes
2009-09-08 20:14 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 20:14 . 2009-09-08 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 20:14 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 20:14 . 2009-09-08 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 19:09 . 2009-09-08 19:09 0 ----a-w- c:\windows\nsreg.dat
2009-09-08 19:09 . 2009-09-08 19:09 -------- d-----w- c:\documents and settings\CESHBAUGH\Local Settings\Application Data\Mozilla
2009-09-08 17:56 . 2009-09-08 17:56 -------- d-----w- c:\program files\Common Files\TSUninstall
2009-09-08 17:56 . 2009-09-17 17:12 -------- d-----w- c:\program files\TS
2009-09-01 14:59 . 2009-09-01 15:01 -------- d-----w- c:\temp\hsperfdata_CESHBAUGH
2009-08-28 13:21 . 2009-09-21 21:45 -------- d-----w- c:\temp\gwprint
2009-08-27 18:22 . 2009-04-30 01:07 70216 ----a-w- c:\windows\system32\mfevtps.exe
2009-08-27 18:22 . 2009-04-30 01:07 65224 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2009-08-26 15:09 . 2009-09-22 17:42 -------- d-----w- c:\temp\Word8.0
2009-08-25 18:56 . 2009-08-25 18:56 -------- d-----w- c:\windows\ServicePackFiles
2009-08-25 18:56 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 17:48 . 2009-05-07 19:24 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-22 17:47 . 2008-12-19 16:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-07 00:24 . 2008-12-18 21:03 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2008-12-18 21:03 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2008-12-18 21:03 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2008-01-24 00:34 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2008-12-18 21:03 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2008-12-18 21:03 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-12-18 21:03 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 13:21 . 2009-07-30 13:21 -------- d-----w- c:\documents and settings\CESHBAUGH\Application Data\CyberLink
2009-07-30 13:21 . 2009-07-30 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-04 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-04 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-27 471040]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-25 446563]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-17 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-17 150040]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-02 200704]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-18 2220032]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01 1454080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2008-06-02 69632]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 15:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ SbNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-229141\Scripts\Logon\0\0]
"Script"=\\vst\isds$\AppInstall\UserInvLog\UserInvLog.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-229141\Scripts\Logon\1\0]
"Script"=GWLDAPTAMHSC.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-229141\Scripts\Logon\2\0]
"Script"=\\swntdomain\NETLOGON\ADlogon\ADlogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-3114\Scripts\Logon\0\0]
"Script"=\\vst\isds$\AppInstall\UserInvLog\UserInvLog.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-3114\Scripts\Logon\1\0]
"Script"=GWLDAPTAMHSC.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-3114\Scripts\Logon\2\0]
"Script"=\\swntdomain\NETLOGON\ADlogon\ADlogon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=""
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [6/23/2008 8:31 AM 103760]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [7/16/2007 1:32 PM 44976]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/23/2008 8:31 AM 6496]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [6/23/2008 8:31 AM 33328]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [6/23/2008 8:31 AM 34480]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [6/23/2008 8:32 AM 15248]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [12/18/2008 5:32 PM 33664]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 3:47 PM 6899]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 6:28 PM 406808]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/29/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/27/2009 1:22 PM 70216]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 11:59 AM 167936]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\windows\system32\rpcld.exe [5/7/2009 2:38 PM 181608]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [6/23/2008 8:33 AM 380988]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [10/1/2008 5:28 AM 90112]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [5/2/2006 10:17 AM 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [12/18/2008 4:20 PM 112128]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 3:11 PM 2773]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/25/2008 9:49 AM 110080]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/27/2009 1:22 PM 65224]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 4medica.com
Trusted Zone: 4medica.net
Trusted Zone: aaet.info
Trusted Zone: abret.org
Trusted Zone: afponline.org
Trusted Zone: allergan.com
Trusted Zone: aset.org
Trusted Zone: cardinal.com
Trusted Zone: cdc.gov
Trusted Zone: cmecourses.com
Trusted Zone: doweaver.com
Trusted Zone: edmweb
Trusted Zone: fda.gov
Trusted Zone: greatplacetowork.com\www
Trusted Zone: healthstream.com\www
Trusted Zone: ibexp
Trusted Zone: imageweb
Trusted Zone: imedris.net
Trusted Zone: imedris.net\sw
Trusted Zone: immunize.org
Trusted Zone: imredres.net
Trusted Zone: Infgw01
Trusted Zone: live.com\login
Trusted Zone: malichai
Trusted Zone: medco.com
Trusted Zone: medicaider.com
Trusted Zone: metftp
Trusted Zone: microsoft.com
Trusted Zone: msdn.com
Trusted Zone: msn.com
Trusted Zone: mycmsc.com
Trusted Zone: mycmsc.com\swthrms
Trusted Zone: netaccesse
Trusted Zone: oasgoldprod
Trusted Zone: pacsweb
Trusted Zone: payflex.com\ftp
Trusted Zone: periop-www4
Trusted Zone: perryop.com
Trusted Zone: pressganey.com
Trusted Zone: ptcny.com
Trusted Zone: smsnar2
Trusted Zone: smsnarstage
Trusted Zone: smsnarstorage
Trusted Zone: state.tx.us\khc.tdh
Trusted Zone: sw.org
Trusted Zone: sw.org\*.swntdomain
Trusted Zone: sw.org\epremis-public
Trusted Zone: sw.org\epremis-support
Trusted Zone: sw.org\epremis-web
Trusted Zone: swhp.org
Trusted Zone: tmhsi.net
Trusted Zone: vanguard.com\ftp
Trusted Zone: wvgtwy01
Trusted Zone: 4medica.com
Trusted Zone: 4medica.net
Trusted Zone: aaet.info
Trusted Zone: abret.org
Trusted Zone: afponline.org
Trusted Zone: allergan.com
Trusted Zone: aset.org
Trusted Zone: cardinal.com
Trusted Zone: cdc.gov
Trusted Zone: cmecourses.com
Trusted Zone: doweaver.com
Trusted Zone: edmweb
Trusted Zone: fda.gov
Trusted Zone: greatplacetowork.com\www
Trusted Zone: healthstream.com\www
Trusted Zone: ibexp
Trusted Zone: imageweb
Trusted Zone: imedris.net
Trusted Zone: imedris.net\sw
Trusted Zone: immunize.org
Trusted Zone: imredres.net
Trusted Zone: Infgw01
Trusted Zone: live.com\login
Trusted Zone: malichai
Trusted Zone: medco.com
Trusted Zone: medicaider.com
Trusted Zone: metftp
Trusted Zone: microsoft.com
Trusted Zone: mycmsc.com
Trusted Zone: mycmsc.com\swthrms
Trusted Zone: netaccesse
Trusted Zone: oasgoldprod
Trusted Zone: pacsweb
Trusted Zone: payflex.com\ftp
Trusted Zone: periop-www4
Trusted Zone: perryop.com
Trusted Zone: pressganey.com
Trusted Zone: ptcny.com
Trusted Zone: smsnar2
Trusted Zone: smsnarstage
Trusted Zone: smsnarstorage
Trusted Zone: state.tx.us\khc.tdh
Trusted Zone: sw.org
Trusted Zone: sw.org\*.swntdomain
Trusted Zone: sw.org\epremis-public
Trusted Zone: sw.org\epremis-support
Trusted Zone: sw.org\epremis-web
Trusted Zone: swhp.org
Trusted Zone: tmhsi.net
Trusted Zone: vanguard.com\ftp
Trusted Zone: wvgtwy01
FF - ProfilePath - c:\documents and settings\CESHBAUGH\Application Data\Mozilla\Firefox\Profiles\65y8piud.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TS - c:\program files\TS\tsc.exe
AddRemove-TS - c:\program files\TS\tsc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 12:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\SafeBoot\SBGINA.DLL
c:\program files\SafeBoot\SbGinaLib.dll
c:\program files\SafeBoot\SbUserObj.dll
c:\program files\SafeBoot\sbdbmgr.dll
c:\program files\SafeBoot\SbComms.dll
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\SafeBoot\SBUILIB.DLL
c:\program files\SafeBoot\SbAlgs\SBALG.DLL
c:\program files\SafeBoot\SbTokens\SbTokenPwd.dll
c:\program files\Novell\ZENworks\WMNTAPI.DLL

- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\SbNp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\BCMWLTRY.EXE
c:\program files\IDT\DellXPM09B_6087v035\WDM\stacsv.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\McAfee\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2009-09-22 12:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 17:53

Pre-Run: 67,642,642,432 bytes free
Post-Run: 67,766,800,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

376 --- E O F --- 2009-09-22 15:00

How Can I Reduce My Risk to Malware?


#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 22 September 2009 - 02:48 PM

ok so far so good. Please check Malwarebytes for updates then do a full scan with it and post its log:

start MBAM amd click on the update tab then the Check for updates button:
If an update is found, it will download and install the latest version.

Once the update is finished, select the scanner tab and check: Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted chose yes to restart.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually.

Once MBAM is all finished, rerun Combofix after disabling your AV and anti-malware.
Post the new combofix log also.

How Can I Reduce My Risk to Malware?


#8 clide

clide
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 23 September 2009 - 12:05 PM

OK, I did half of what you said. Ran the Malwarebytes again and this time it got the problem off my laptop. The log is attached. Should I still complete what you said? Turn off McAffee Anti-virus and run Combofix again?

Thanks again for your time.

Attached Files



#9 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 23 September 2009 - 07:30 PM

hi,

Your welcome. yes please disable AV etc and rerun combofix and post its log.

How Can I Reduce My Risk to Malware?


#10 clide

clide
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 25 September 2009 - 08:04 AM

Okay. Here are both of them.

Thanks.

Attached Files



#11 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 27 September 2009 - 07:20 PM

ok thanks i have pasted in both logs for easier viewing:


Malwarebytes' Anti-Malware 1.41
Database version: 2844
Windows 5.1.2600 Service Pack 2

9/23/2009 8:20:12 AM
mbam-log-2009-09-23 (08-20-11).txt

Scan type: Full Scan (C:\|D:\|H:\|L:\|Q:\|Z:\|)
Objects scanned: 330079
Time elapsed: 2 hour(s), 30 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmmtkfuexb (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Common Files\TSUninstall (Rogue.TotalSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmeycbavkd.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxxbkpuwq.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\TSUninstall\Uninstall.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Computer Scan.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Help.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Registration.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Security Center.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Settings.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Total Security.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\TS\Update.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\CESHBAUGH\Application Data\Microsoft\Internet Explorer\Quick Launch\TS.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
========================================
ComboFix 09-09-23.02 - CESHBAUGH 09/24/2009 16:55.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2003.1357 [GMT -5:00]
Running from: c:\documents and settings\CESHBAUGH\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://malichai
.
((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-24 21:59 . 2009-09-24 21:59 53248 ----a-w- c:\temp\catchme.dll
2009-09-21 21:22 . 2009-09-21 21:22 -------- d-----w- c:\temp\msohtml1
2009-09-21 21:22 . 2009-09-21 21:22 -------- d-----w- c:\temp\msohtml
2009-09-09 13:52 . 2009-09-09 13:54 -------- d-----w- c:\temp\RarSFX0
2009-09-08 20:14 . 2009-09-08 20:14 -------- d-----w- c:\documents and settings\CESHBAUGH\Application Data\Malwarebytes
2009-09-08 20:14 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 20:14 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 20:14 . 2009-09-08 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 20:14 . 2009-09-22 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 19:09 . 2009-09-08 19:09 0 ----a-w- c:\windows\nsreg.dat
2009-09-08 19:09 . 2009-09-08 19:09 -------- d-----w- c:\documents and settings\CESHBAUGH\Local Settings\Application Data\Mozilla
2009-09-08 17:56 . 2009-09-17 17:12 -------- d-----w- c:\program files\TS
2009-09-01 14:59 . 2009-09-01 15:01 -------- d-----w- c:\temp\hsperfdata_CESHBAUGH
2009-08-28 13:21 . 2009-09-21 21:45 -------- d-----w- c:\temp\gwprint
2009-08-27 18:22 . 2009-04-30 01:07 70216 ----a-w- c:\windows\system32\mfevtps.exe
2009-08-27 18:22 . 2009-04-30 01:07 65224 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2009-08-26 15:09 . 2009-09-22 17:42 -------- d-----w- c:\temp\Word8.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 18:55 . 2009-05-07 19:24 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-22 17:47 . 2008-12-19 16:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-07 00:24 . 2008-12-18 21:03 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2008-12-18 21:03 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2008-12-18 21:03 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2008-01-24 00:34 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2008-12-18 21:03 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2008-12-18 21:03 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-12-18 21:03 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 13:21 . 2009-07-30 13:21 -------- d-----w- c:\documents and settings\CESHBAUGH\Application Data\CyberLink
2009-07-30 13:21 . 2009-07-30 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-22_17.49.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-09-11 18:48 60182 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-24 19:00 60182 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-24 19:00 398128 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-11 18:48 398128 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-27 471040]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-25 446563]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-17 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-17 150040]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-02 200704]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-18 2220032]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01 1454080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2008-06-02 69632]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 15:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
Notification Packages REG_MULTI_SZ SbNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-229141\Scripts\Logon\0\0]
"Script"=\\vst\isds$\AppInstall\UserInvLog\UserInvLog.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-229141\Scripts\Logon\1\0]
"Script"=GWLDAPTAMHSC.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-229141\Scripts\Logon\2\0]
"Script"=\\swntdomain\NETLOGON\ADlogon\ADlogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-3114\Scripts\Logon\0\0]
"Script"=\\vst\isds$\AppInstall\UserInvLog\UserInvLog.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-3114\Scripts\Logon\1\0]
"Script"=GWLDAPTAMHSC.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143357078-1154901814-1553874782-3114\Scripts\Logon\2\0]
"Script"=\\swntdomain\NETLOGON\ADlogon\ADlogon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=""
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [6/23/2008 8:31 AM 103760]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [7/16/2007 1:32 PM 44976]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/23/2008 8:31 AM 6496]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [6/23/2008 8:31 AM 33328]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [6/23/2008 8:31 AM 34480]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [6/23/2008 8:32 AM 15248]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [12/18/2008 5:32 PM 33664]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 3:47 PM 6899]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 6:28 PM 406808]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/29/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/27/2009 1:22 PM 70216]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 11:59 AM 167936]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\windows\system32\rpcld.exe [5/7/2009 2:38 PM 181608]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [6/23/2008 8:33 AM 380988]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [10/1/2008 5:28 AM 90112]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [5/2/2006 10:17 AM 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [12/18/2008 4:20 PM 112128]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 3:11 PM 2773]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/25/2008 9:49 AM 110080]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/27/2009 1:22 PM 65224]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 4medica.com
Trusted Zone: 4medica.net
Trusted Zone: aaet.info
Trusted Zone: abret.org
Trusted Zone: afponline.org
Trusted Zone: allergan.com
Trusted Zone: aset.org
Trusted Zone: cardinal.com
Trusted Zone: cdc.gov
Trusted Zone: cmecourses.com
Trusted Zone: doweaver.com
Trusted Zone: edmweb
Trusted Zone: fda.gov
Trusted Zone: greatplacetowork.com\www
Trusted Zone: healthstream.com\www
Trusted Zone: ibexp
Trusted Zone: imageweb
Trusted Zone: imedris.net
Trusted Zone: imedris.net\sw
Trusted Zone: immunize.org
Trusted Zone: imredres.net
Trusted Zone: Infgw01
Trusted Zone: live.com\login
Trusted Zone: malichai
Trusted Zone: medco.com
Trusted Zone: medicaider.com
Trusted Zone: metftp
Trusted Zone: microsoft.com
Trusted Zone: msdn.com
Trusted Zone: msn.com
Trusted Zone: mycmsc.com
Trusted Zone: mycmsc.com\swthrms
Trusted Zone: netaccesse
Trusted Zone: oasgoldprod
Trusted Zone: pacsweb
Trusted Zone: payflex.com\ftp
Trusted Zone: periop-www4
Trusted Zone: perryop.com
Trusted Zone: pressganey.com
Trusted Zone: ptcny.com
Trusted Zone: smsnar2
Trusted Zone: smsnarstage
Trusted Zone: smsnarstorage
Trusted Zone: state.tx.us\khc.tdh
Trusted Zone: sw.org
Trusted Zone: sw.org\*.swntdomain
Trusted Zone: sw.org\epremis-public
Trusted Zone: sw.org\epremis-support
Trusted Zone: sw.org\epremis-web
Trusted Zone: swhp.org
Trusted Zone: tmhsi.net
Trusted Zone: vanguard.com\ftp
Trusted Zone: wvgtwy01
Trusted Zone: 4medica.com
Trusted Zone: 4medica.net
Trusted Zone: aaet.info
Trusted Zone: abret.org
Trusted Zone: afponline.org
Trusted Zone: allergan.com
Trusted Zone: aset.org
Trusted Zone: cardinal.com
Trusted Zone: cdc.gov
Trusted Zone: cmecourses.com
Trusted Zone: doweaver.com
Trusted Zone: edmweb
Trusted Zone: fda.gov
Trusted Zone: greatplacetowork.com\www
Trusted Zone: healthstream.com\www
Trusted Zone: ibexp
Trusted Zone: imageweb
Trusted Zone: imedris.net
Trusted Zone: imedris.net\sw
Trusted Zone: immunize.org
Trusted Zone: imredres.net
Trusted Zone: Infgw01
Trusted Zone: live.com\login
Trusted Zone: malichai
Trusted Zone: medco.com
Trusted Zone: medicaider.com
Trusted Zone: metftp
Trusted Zone: microsoft.com
Trusted Zone: mycmsc.com
Trusted Zone: mycmsc.com\swthrms
Trusted Zone: netaccesse
Trusted Zone: oasgoldprod
Trusted Zone: pacsweb
Trusted Zone: payflex.com\ftp
Trusted Zone: periop-www4
Trusted Zone: perryop.com
Trusted Zone: pressganey.com
Trusted Zone: ptcny.com
Trusted Zone: smsnar2
Trusted Zone: smsnarstage
Trusted Zone: smsnarstorage
Trusted Zone: state.tx.us\khc.tdh
Trusted Zone: sw.org
Trusted Zone: sw.org\*.swntdomain
Trusted Zone: sw.org\epremis-public
Trusted Zone: sw.org\epremis-support
Trusted Zone: sw.org\epremis-web
Trusted Zone: swhp.org
Trusted Zone: tmhsi.net
Trusted Zone: vanguard.com\ftp
Trusted Zone: wvgtwy01
FF - ProfilePath - c:\documents and settings\CESHBAUGH\Application Data\Mozilla\Firefox\Profiles\65y8piud.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 16:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\SafeBoot\SBGINA.DLL
c:\program files\SafeBoot\SbGinaLib.dll
c:\program files\SafeBoot\SbUserObj.dll
c:\program files\SafeBoot\sbdbmgr.dll
c:\program files\SafeBoot\SbComms.dll
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\SafeBoot\SBUILIB.DLL
c:\program files\SafeBoot\SbAlgs\SBALG.DLL
c:\program files\SafeBoot\SbTokens\SbTokenPwd.dll
c:\program files\Novell\ZENworks\WMNTAPI.DLL

- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\SbNp.dll
.
Completion time: 2009-09-24 17:00
ComboFix-quarantined-files.txt 2009-09-24 22:00
ComboFix2.txt 2009-09-22 17:53

Pre-Run: 67,723,411,456 bytes free
Post-Run: 67,700,932,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

324 --- E O F --- 2009-09-22 15:00

How Can I Reduce My Risk to Malware?


#12 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 27 September 2009 - 07:47 PM

hi,

did you add all those sites to IE's trusted zone?


Trusted Zone: 4medica.com
Trusted Zone: 4medica.net
Trusted Zone: aaet.info
Trusted Zone: abret.org
Trusted Zone: afponline.org
Trusted Zone: allergan.com
Trusted Zone: aset.org
Trusted Zone: cardinal.com
Trusted Zone: cdc.gov
Trusted Zone: cmecourses.com
Trusted Zone: doweaver.com
Trusted Zone: edmweb
Trusted Zone: fda.gov
Trusted Zone: greatplacetowork.com\www
Trusted Zone: healthstream.com\www

etc...............

Please do a online scan here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

How Can I Reduce My Risk to Malware?


#13 clide

clide
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 30 September 2009 - 04:47 PM

Thanks. I recognize most of those sites in Trusted Zone, but not all of them. Not sure if I added some or not. Should I go through and check each one of them? Attached is the Eset log.

Thanks again for your time.

Attached Files



#14 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:51 PM

Posted 30 September 2009 - 07:41 PM

Ok thanks for the info. The online scan looks ok. Unless you added those sites to your trusted zone then I would remove them. Even if you recognize them you still would have had to ad them yourself. I suppose software could have done it. this isnt a computer you use for work is it?

How Can I Reduce My Risk to Malware?


#15 clide

clide
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 06 October 2009 - 01:32 PM

I will go through them and check. This is a personal computer, but it has some work-related software on it that was added by the company. I use the computer for both personal and work.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users