Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Search Redirect


  • This topic is locked This topic is locked
30 replies to this topic

#1 mfiore

mfiore

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 27 October 2009 - 01:51 PM

Long time reader, first time poster
My searches (Google, Bing) jump to the correct page listing the possible link matches, weather from the search site or the search bar (IE or FF).
However randomly (~60% of the time) something will jump the browser to a totally unrelated site. Thankfully so far they have been mostly sites that are down and have not seemed to install even more harmful applications. I have run Spybot, Malwarebytes, McAfee antivirus, and hijackthis however the problem seems to persist

Here is the contents of the last Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:44 PM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://inside.yimaine.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://inside.yimaine.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://inside.yimaine.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Youth Alternatives Ingraham
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.211maine.org
O15 - Trusted Zone: http://game.aqworlds.com
O15 - Trusted Zone: http://*.armorgames.com
O15 - Trusted Zone: http://211maine.communityos.org
O15 - Trusted Zone: http://211maineportal.communityos.org
O15 - Trusted Zone: http://training.essentiallearning.com
O15 - Trusted Zone: http://www.essentiallearning.net
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://evolv.yimaine.org/evolvbeta/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230577259429
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1250170541160
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.youthalternatives.local
O17 - HKLM\Software\..\Telephony: DomainName = ad.youthalternatives.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.youthalternatives.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.youthalternatives.local
O18 - Protocol: qpic - {F20816C2-B39E-47C5-95A4-94A5E6D172C7} - C:\PROGRA~1\QUESTS~1\PERFOR~1\Common\QUESTA~1\QPic.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

--
End of file - 7707 bytes


Any help would be greatly appreciated.
Forgot to add this is XP

BC AdBot (Login to Remove)

 


#2 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 29 October 2009 - 09:58 AM

Anyone?

Hello mfiore,

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 29 October 2009 - 06:16 PM.


#3 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 30 October 2009 - 07:54 AM

Understood, and I do Really appreciate the help.

Just wanted to be sure this was noticed.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:30 AM

Posted 03 November 2009 - 04:16 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:30 AM

Posted 08 November 2009 - 04:06 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:30 AM

Posted 12 November 2009 - 09:26 AM

Re-opened upon users request.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 November 2009 - 09:37 AM

McAfee is now detecting tdlwsp.dll on the system.
I have removed several times but it keeps returning.

GMER is running now and will post as soon as it is finished.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:30 AM

Posted 12 November 2009 - 09:58 AM

Don't bother to try to remove tdlwsp, its part of an advanced rootkit and you will not be able to remove it on your own. Please post the log and I will provide you with steps.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 November 2009 - 11:45 AM

Contents of GMER scan
*************************

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-12 11:40:52
Windows 5.1.2600 Service Pack 3
Running: hxg2sprj.exe; Driver: C:\DOCUME~1\mfiore\LOCALS~1\Temp\fwtdrpog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF70AD090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF70AD0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF70AD054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF70AD068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF70AD0CE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF70AD0BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF70AD07C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP F70AD058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP F70AD06C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP F70AD0BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP F70AD0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP F70AD094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP F70AD0D2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP F70AD080 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[932] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405941] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\iaStor \Device\Ide\iaStor0 [F724BD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F724BD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#10 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 November 2009 - 12:04 PM

DDS Results (Attached.txt available if needed)

*******************************

DDS (Ver_09-10-26.01) - NTFSx86
Run by mfiore at 11:50:56.50 on Thu 11/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1287 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
\\homer\home$\mfiore\Desktop\hxg2sprj.exe
\\homer\home$\mfiore\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uWindow Title = Windows Internet Explorer provided by Youth Alternatives Ingraham
uStart Page = https://inside.yimaine.org/
uDefault_Page_URL = https://inside.yimaine.org/
mDefault_Page_URL = https://inside.yimaine.org/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: consentpromptbehavioradmin = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 6000 (0x1770)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: 211maine.org\www
Trusted Zone: apshealthcare.com\careconnectionme
Trusted Zone: aqworlds.com\game
Trusted Zone: armorgames.com
Trusted Zone: attendanceondemand.com\ya
Trusted Zone: communityos.org\211maine
Trusted Zone: communityos.org\211maineportal
Trusted Zone: essentiallearning.com\training
Trusted Zone: essentiallearning.net\www
Trusted Zone: microsoft.com\www
Trusted Zone: scribe.com\promed
Trusted Zone: yaimaine.org\evolv
Trusted Zone: yimaine.org\evolv
Trusted Zone: youthalternatives.org\evolv
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://evolv.yimaine.org/evolvbeta/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230577259429
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250170541160
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: qpic - {F20816C2-B39E-47c5-95A4-94A5E6D172C7} - c:\progra~1\quests~1\perfor~1\common\questa~1\QPic.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - "c:\windows\system32\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mfiore\applic~1\mozilla\firefox\profiles\1xacjblb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\mfiore\application data\move networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://www.pardus.at http://pardus.at http://forum.pardus.at http://chat.pardus.at http://portal.pardus.at http://orion.pardus.at http://artemis.pardus.at http://pegasus.pardus.at
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess
============= SERVICES / DRIVERS ===============

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-4-29 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-9-18 70216]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2009-5-27 202584]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-7-2 89600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-4-22 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-4-22 47616]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 watcher;watcher;\??\c:\windows\system32\drivers\watcher.sys --> c:\windows\system32\drivers\watcher.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-9-18 65224]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2009-3-17 58240]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-9-10 33024]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-9-10 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-9-10 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-9-10 59904]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
S4 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]

=============== Created Last 30 ================

2009-11-06 18:48:10 0 d-----w- C:\Dun
2009-11-05 16:57:54 0 d-----w- c:\program files\HTML Help Workshop
2009-11-05 16:57:54 0 d-----w- c:\program files\common files\Merge Modules
2009-11-05 16:57:54 0 d-----w- c:\program files\common files\Business Objects
2009-11-05 16:57:54 0 d-----w- c:\program files\CE Remote Tools
2009-11-05 16:57:54 0 d-----w- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2009-11-04 15:42:12 0 d-----w- C:\torch
2009-11-04 15:19:06 0 d-----w- c:\docume~1\mfiore\applic~1\runic games
2009-11-03 12:40:02 0 d-----w- c:\docume~1\mfiore\applic~1\KONICA MINOLTA
2009-10-27 18:05:13 0 d-----w- c:\program files\Trend Micro
2009-10-27 16:21:03 0 d-----w- c:\docume~1\mfiore\applic~1\AVG8
2009-10-27 01:28:34 0 d-----w- c:\docume~1\mfiore\applic~1\Malwarebytes
2009-10-27 01:28:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 01:28:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-27 01:28:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 01:28:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-17 15:27:30 0 d-----w- c:\program files\ROM
2009-10-15 09:32:27 0 d-----w- c:\windows\SQLTools9_KB970892_ENU
2009-10-15 09:30:52 0 d-----w- c:\windows\DTS9_KB970892_ENU
2009-10-15 09:30:08 0 d-----w- c:\windows\NS9_KB970892_ENU
2009-10-15 09:27:19 0 d-----w- c:\windows\OLAP9_KB970892_ENU
2009-10-15 09:23:44 0 d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-14 14:23:03 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-10-14 14:22:53 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll

==================== Find3M ====================

2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:24:48 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-06 20:24:47 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-16 17:56:14 3550592 ----a-w- c:\windows\system32\procexp.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 13:06:29 19728 ----a-w- c:\windows\nylo.com
2009-08-31 13:06:29 16429 ----a-w- c:\docume~1\alluse~1\applic~1\kafag.bin
2009-08-31 13:06:29 14510 ----a-w- c:\windows\beziba.vbs
2009-08-31 13:06:29 12788 ----a-w- c:\program files\common files\dagyzyvu.bin
2009-08-31 13:06:29 12591 ----a-w- c:\program files\common files\ogapu.pif
2009-08-31 13:06:29 11355 ----a-w- c:\windows\ijukolizo.vbs
2009-08-31 13:06:29 10797 ----a-w- c:\windows\system32\sumopyru.sys
2009-08-31 13:06:29 10617 ----a-w- c:\program files\common files\naxa.sys
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-12-29 19:31:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat
2009-01-02 17:34:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010220090103\index.dat

============= FINISH: 11:52:34.08 ===============

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:30 AM

Posted 12 November 2009 - 01:47 PM

Hello mfiore,

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 November 2009 - 02:22 PM

ComboFix File

**********************

ComboFix 09-11-13.02 - mfiore 11/12/2009 14:07.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1456 [GMT -5:00]
Running from: \\homer\home$\mfiore\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2215937618-3860388965-42823809-1000
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\install.exe
c:\windows\beziba.vbs
c:\windows\ijukolizo.vbs
c:\windows\system32\Cache

----- BITS: Possible infected sites -----

hxxp://barney
Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 19:01 . 2008-04-14 05:10 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-12 19:01 . 2008-04-14 05:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-12 10:56 . 2009-11-12 10:56 152576 ----a-w- c:\documents and settings\mfiore\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 10:54 . 2009-11-12 10:56 79488 ----a-w- c:\documents and settings\mfiore\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-06 18:48 . 2009-11-06 18:48 -------- d-----w- C:\Dun
2009-11-05 16:57 . 2009-11-10 10:37 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-11-05 16:57 . 2009-11-05 17:09 -------- d-----w- c:\program files\HTML Help Workshop
2009-11-05 16:57 . 2009-11-05 16:59 -------- d-----w- c:\program files\Common Files\Business Objects
2009-11-05 16:57 . 2009-11-05 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-11-05 16:57 . 2009-11-05 16:57 -------- d-----w- c:\windows\Symbols
2009-11-05 16:57 . 2009-11-05 16:57 -------- d-----w- c:\program files\CE Remote Tools
2009-11-04 15:42 . 2009-11-04 15:42 -------- d-----w- C:\torch
2009-11-04 15:19 . 2009-11-04 15:19 -------- d-----w- c:\documents and settings\mfiore\Application Data\runic games
2009-11-03 12:40 . 2009-11-03 12:40 -------- d-----w- c:\documents and settings\mfiore\Application Data\KONICA MINOLTA
2009-10-27 18:05 . 2009-10-27 18:05 -------- d-----w- c:\program files\Trend Micro
2009-10-27 16:21 . 2009-10-27 16:21 -------- d-----w- c:\documents and settings\mfiore\Application Data\AVG8
2009-10-27 15:22 . 2009-10-27 15:22 -------- d-----w- c:\documents and settings\mdfadm\Application Data\Malwarebytes
2009-10-27 01:28 . 2009-10-27 01:28 -------- d-----w- c:\documents and settings\mfiore\Application Data\Malwarebytes
2009-10-27 01:28 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 01:28 . 2009-10-27 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 01:28 . 2009-10-27 01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 01:28 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 22:17 . 2009-10-17 22:17 1924440 ----a-w- c:\documents and settings\mfiore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-10-17 15:27 . 2009-10-17 15:27 -------- d-----w- c:\program files\ROM
2009-10-15 09:32 . 2009-10-15 09:32 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2009-10-15 09:30 . 2009-10-15 09:30 -------- d-----w- c:\windows\DTS9_KB970892_ENU
2009-10-15 09:30 . 2009-10-15 09:30 -------- d-----w- c:\windows\NS9_KB970892_ENU
2009-10-15 09:27 . 2009-10-15 09:27 -------- d-----w- c:\windows\OLAP9_KB970892_ENU
2009-10-15 09:23 . 2009-10-15 09:23 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-14 14:23 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-10-14 14:22 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 18:23 . 2009-04-01 15:09 -------- d-----w- c:\documents and settings\mfiore\Application Data\EVEMon
2009-11-12 10:57 . 2009-01-30 01:49 -------- d-----w- c:\program files\Java
2009-11-10 10:40 . 2008-12-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-08 20:37 . 2009-07-24 13:56 -------- d-----w- c:\documents and settings\mfiore\Application Data\vlc
2009-11-07 13:19 . 2008-12-29 20:12 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-05 17:54 . 2008-12-31 14:05 49416 ----a-w- c:\documents and settings\mdfadm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 17:31 . 2008-12-29 20:04 49416 ----a-w- c:\documents and settings\mfiore\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 12:38 . 2008-12-31 20:42 -------- d-----w- c:\program files\MSBuild
2009-11-05 12:02 . 2009-01-19 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-11-04 18:45 . 2009-01-02 00:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 12:10 . 2008-04-22 14:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 12:09 . 2009-08-20 10:55 -------- d-----w- c:\program files\PopCap Games
2009-11-02 02:03 . 2009-01-01 17:55 -------- d-----w- c:\documents and settings\mfiore\Application Data\dvdcss
2009-10-27 01:41 . 2009-02-25 17:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-18 19:06 . 2009-08-20 10:56 25 ----a-w- c:\windows\popcinfot.dat
2009-10-17 14:59 . 2009-03-23 02:18 -------- d-----w- c:\documents and settings\mfiore\Application Data\FOG Downloader
2009-10-15 09:33 . 2008-12-29 19:59 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-14 09:25 . 2008-04-22 15:56 -------- d-----w- c:\program files\Microsoft Works
2009-10-11 09:17 . 2009-01-30 01:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:24 . 2009-10-06 20:24 -------- d-----w- c:\program files\OpenAL
2009-10-06 20:24 . 2009-10-06 20:24 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-06 20:24 . 2009-10-06 20:24 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-06 20:24 . 2009-10-06 20:24 -------- d-----w- c:\program files\Infinite Interactive
2009-09-27 16:19 . 2009-01-03 20:20 -------- d-----w- c:\documents and settings\mfiore\Application Data\Move Networks
2009-09-27 14:57 . 2009-09-27 14:57 126970 ----a-w- c:\documents and settings\mfiore\Application Data\Move Networks\uninstall.exe
2009-09-27 14:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\mfiore\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-27 14:57 . 2009-09-27 14:57 1407680 ----a-w- c:\documents and settings\mfiore\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-09-18 18:25 . 2008-04-22 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-18 18:25 . 2008-04-22 18:17 -------- d-----w- c:\program files\McAfee
2009-09-18 18:25 . 2009-09-18 18:25 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-18 17:29 . 2009-02-28 00:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-18 17:28 . 2009-02-28 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-18 16:39 . 2009-09-17 15:42 49416 ----a-w- c:\documents and settings\jkwtest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-18 16:39 . 2009-09-18 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-09-18 16:38 . 2009-09-18 16:38 0 ----a-w- c:\windows\ativpsrm.bin
2009-09-17 16:05 . 2009-07-27 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 15:43 . 2009-09-17 15:43 -------- d-----w- c:\documents and settings\jkwtest\Application Data\ATI
2009-09-17 15:29 . 2009-01-09 14:57 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 19:49 . 2009-03-05 02:28 -------- d-----w- c:\program files\DOSBox-0.72
2009-09-16 19:32 . 2009-02-27 23:09 -------- d-----w- c:\program files\Lavasoft
2009-09-16 17:56 . 2009-09-16 19:56 3550592 ----a-w- c:\windows\system32\procexp.exe
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 13:06 . 2009-08-31 13:06 19728 ----a-w- c:\windows\nylo.com
2009-08-31 13:06 . 2009-08-31 13:06 17951 ----a-w- c:\documents and settings\mfiore\Local Settings\Application Data\cacoda.pif
2009-08-31 13:06 . 2009-08-31 13:06 16429 ----a-w- c:\documents and settings\All Users\Application Data\kafag.bin
2009-08-31 13:06 . 2009-08-31 13:06 12788 ----a-w- c:\program files\Common Files\dagyzyvu.bin
2009-08-31 13:06 . 2009-08-31 13:06 12739 ----a-w- c:\documents and settings\mfiore\Local Settings\Application Data\sopewykyke.sys
2009-08-31 13:06 . 2009-08-31 13:06 12591 ----a-w- c:\program files\Common Files\ogapu.pif
2009-08-31 13:06 . 2009-08-31 13:06 10797 ----a-w- c:\windows\system32\sumopyru.sys
2009-08-31 13:06 . 2009-08-31 13:06 10617 ----a-w- c:\program files\Common Files\naxa.sys
2009-08-29 07:36 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 21:13 . 2009-08-20 21:13 0 ----a-w- c:\windows\popcreg.dat
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-04-30 00:07 . 2009-09-18 18:26 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 1 (0x1)
"MaxGPOScriptWait"= 6000 (0x1770)
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/29/2009 7:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/18/2009 1:26 PM 70216]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/27/2009 2:26 AM 202584]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2008 10:23 AM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [4/22/2008 10:05 AM 47616]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 watcher;watcher;\??\c:\windows\system32\drivers\watcher.sys --> c:\windows\system32\drivers\watcher.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/18/2009 1:26 PM 65224]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [3/17/2009 12:52 PM 58240]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [9/10/2009 8:09 AM 33024]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [9/10/2009 8:09 AM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [9/10/2009 8:09 AM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [9/10/2009 8:09 AM 59904]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [12/4/2006 3:13 PM 292384]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = https://inside.yimaine.org/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: 211maine.org\www
Trusted Zone: apshealthcare.com\careconnectionme
Trusted Zone: aqworlds.com\game
Trusted Zone: armorgames.com
Trusted Zone: attendanceondemand.com\ya
Trusted Zone: communityos.org\211maine
Trusted Zone: communityos.org\211maineportal
Trusted Zone: essentiallearning.com\training
Trusted Zone: essentiallearning.net\www
Trusted Zone: microsoft.com\www
Trusted Zone: scribe.com\promed
Trusted Zone: yaimaine.org\evolv
Trusted Zone: yimaine.org\evolv
Trusted Zone: youthalternatives.org\evolv
Handler: qpic - {F20816C2-B39E-47c5-95A4-94A5E6D172C7} - c:\progra~1\QUESTS~1\PERFOR~1\Common\QUESTA~1\QPic.dll
FF - ProfilePath - c:\documents and settings\mfiore\Application Data\Mozilla\Firefox\Profiles\1xacjblb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\mfiore\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://www.pardus.at http://pardus.at http://forum.pardus.at http://chat.pardus.at http://portal.pardus.at http://orion.pardus.at http://artemis.pardus.at http://pegasus.pardus.at
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.
- - - - ORPHANS REMOVED - - - -

AddRemove-KB955706_DTS9 - c:\windows\DTS9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_NS9 - c:\windows\NS9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_OLAP9 - c:\windows\OLAP9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_SQL9 - c:\windows\SQL9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_SQLTools9 - c:\windows\SQLTools9_KB955706_ENU\Hotfix.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 14:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1088)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-11-12 14:20
ComboFix-quarantined-files.txt 2009-11-12 19:19

Pre-Run: 53,665,554,432 bytes free
Post-Run: 54,004,224,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

- - End Of File - - 71DD7A769841E05124A2A5C464F2F5F8

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,575 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:30 AM

Posted 12 November 2009 - 03:02 PM

Hello mfiore,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\nylo.com
c:\documents and settings\mfiore\Local Settings\Application Data\cacoda.pif
c:\documents and settings\All Users\Application Data\kafag.bin
c:\program files\Common Files\dagyzyvu.bin
c:\documents and settings\mfiore\Local Settings\Application Data\sopewykyke.sys
c:\program files\Common Files\ogapu.pif
c:\windows\system32\sumopyru.sys
c:\program files\Common Files\naxa.sys

DDS::
Trusted Zone: 211maine.org\www
Trusted Zone: apshealthcare.com\careconnectionme
Trusted Zone: aqworlds.com\game
Trusted Zone: armorgames.com
Trusted Zone: attendanceondemand.com\ya
Trusted Zone: communityos.org\211maine
Trusted Zone: communityos.org\211maineportal
Trusted Zone: essentiallearning.com\training
Trusted Zone: essentiallearning.net\www
Trusted Zone: microsoft.com\www
Trusted Zone: scribe.com\promed
Trusted Zone: yaimaine.org\evolv
Trusted Zone: yimaine.org\evolv
Trusted Zone: youthalternatives.org\evolv
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • Run DDS and post attach.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 November 2009 - 03:28 PM

ComboFix Log
***********************

ComboFix 09-11-13.02 - mfiore 11/12/2009 15:19.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1445 [GMT -5:00]
Running from: \\homer\home$\mfiore\Desktop\ComboFix.exe
Command switches used :: \\homer\home$\mfiore\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\All Users\Application Data\kafag.bin"
"c:\documents and settings\mfiore\Local Settings\Application Data\cacoda.pif"
"c:\documents and settings\mfiore\Local Settings\Application Data\sopewykyke.sys"
"c:\program files\Common Files\dagyzyvu.bin"
"c:\program files\Common Files\naxa.sys"
"c:\program files\Common Files\ogapu.pif"
"c:\windows\nylo.com"
"c:\windows\system32\sumopyru.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\kafag.bin
c:\documents and settings\mfiore\Local Settings\Application Data\cacoda.pif
c:\documents and settings\mfiore\Local Settings\Application Data\sopewykyke.sys
c:\program files\Common Files\dagyzyvu.bin
c:\program files\Common Files\naxa.sys
c:\program files\Common Files\ogapu.pif
c:\windows\nylo.com
c:\windows\system32\sumopyru.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 19:01 . 2008-04-14 05:10 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-12 19:01 . 2008-04-14 05:10 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-12 10:56 . 2009-11-12 10:56 152576 ----a-w- c:\documents and settings\mfiore\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 10:54 . 2009-11-12 10:56 79488 ----a-w- c:\documents and settings\mfiore\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-06 18:48 . 2009-11-06 18:48 -------- d-----w- C:\Dun
2009-11-05 16:57 . 2009-11-10 10:37 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-11-05 16:57 . 2009-11-05 17:09 -------- d-----w- c:\program files\HTML Help Workshop
2009-11-05 16:57 . 2009-11-05 16:59 -------- d-----w- c:\program files\Common Files\Business Objects
2009-11-05 16:57 . 2009-11-05 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-11-05 16:57 . 2009-11-05 16:57 -------- d-----w- c:\windows\Symbols
2009-11-05 16:57 . 2009-11-05 16:57 -------- d-----w- c:\program files\CE Remote Tools
2009-11-04 15:42 . 2009-11-04 15:42 -------- d-----w- C:\torch
2009-11-04 15:19 . 2009-11-04 15:19 -------- d-----w- c:\documents and settings\mfiore\Application Data\runic games
2009-11-03 12:40 . 2009-11-03 12:40 -------- d-----w- c:\documents and settings\mfiore\Application Data\KONICA MINOLTA
2009-10-27 18:05 . 2009-10-27 18:05 -------- d-----w- c:\program files\Trend Micro
2009-10-27 16:21 . 2009-10-27 16:21 -------- d-----w- c:\documents and settings\mfiore\Application Data\AVG8
2009-10-27 15:22 . 2009-10-27 15:22 -------- d-----w- c:\documents and settings\mdfadm\Application Data\Malwarebytes
2009-10-27 01:28 . 2009-10-27 01:28 -------- d-----w- c:\documents and settings\mfiore\Application Data\Malwarebytes
2009-10-27 01:28 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 01:28 . 2009-10-27 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 01:28 . 2009-10-27 01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 01:28 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 22:17 . 2009-10-17 22:17 1924440 ----a-w- c:\documents and settings\mfiore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-10-17 15:27 . 2009-10-17 15:27 -------- d-----w- c:\program files\ROM
2009-10-15 09:32 . 2009-10-15 09:32 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2009-10-15 09:30 . 2009-10-15 09:30 -------- d-----w- c:\windows\DTS9_KB970892_ENU
2009-10-15 09:30 . 2009-10-15 09:30 -------- d-----w- c:\windows\NS9_KB970892_ENU
2009-10-15 09:27 . 2009-10-15 09:27 -------- d-----w- c:\windows\OLAP9_KB970892_ENU
2009-10-15 09:23 . 2009-10-15 09:23 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-14 14:23 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-10-14 14:22 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 18:23 . 2009-04-01 15:09 -------- d-----w- c:\documents and settings\mfiore\Application Data\EVEMon
2009-11-12 10:57 . 2009-01-30 01:49 -------- d-----w- c:\program files\Java
2009-11-10 10:40 . 2008-12-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-08 20:37 . 2009-07-24 13:56 -------- d-----w- c:\documents and settings\mfiore\Application Data\vlc
2009-11-07 13:19 . 2008-12-29 20:12 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-05 17:54 . 2008-12-31 14:05 49416 ----a-w- c:\documents and settings\mdfadm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 17:31 . 2008-12-29 20:04 49416 ----a-w- c:\documents and settings\mfiore\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 12:38 . 2008-12-31 20:42 -------- d-----w- c:\program files\MSBuild
2009-11-05 12:02 . 2009-01-19 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-11-04 18:45 . 2009-01-02 00:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 12:10 . 2008-04-22 14:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 12:09 . 2009-08-20 10:55 -------- d-----w- c:\program files\PopCap Games
2009-11-02 02:03 . 2009-01-01 17:55 -------- d-----w- c:\documents and settings\mfiore\Application Data\dvdcss
2009-10-27 01:41 . 2009-02-25 17:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-18 19:06 . 2009-08-20 10:56 25 ----a-w- c:\windows\popcinfot.dat
2009-10-17 14:59 . 2009-03-23 02:18 -------- d-----w- c:\documents and settings\mfiore\Application Data\FOG Downloader
2009-10-15 09:33 . 2008-12-29 19:59 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-14 09:25 . 2008-04-22 15:56 -------- d-----w- c:\program files\Microsoft Works
2009-10-11 09:17 . 2009-01-30 01:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:24 . 2009-10-06 20:24 -------- d-----w- c:\program files\OpenAL
2009-10-06 20:24 . 2009-10-06 20:24 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-06 20:24 . 2009-10-06 20:24 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-06 20:24 . 2009-10-06 20:24 -------- d-----w- c:\program files\Infinite Interactive
2009-09-27 16:19 . 2009-01-03 20:20 -------- d-----w- c:\documents and settings\mfiore\Application Data\Move Networks
2009-09-27 14:57 . 2009-09-27 14:57 126970 ----a-w- c:\documents and settings\mfiore\Application Data\Move Networks\uninstall.exe
2009-09-27 14:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\mfiore\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-27 14:57 . 2009-09-27 14:57 1407680 ----a-w- c:\documents and settings\mfiore\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-09-18 18:25 . 2008-04-22 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-18 18:25 . 2008-04-22 18:17 -------- d-----w- c:\program files\McAfee
2009-09-18 18:25 . 2009-09-18 18:25 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-18 17:29 . 2009-02-28 00:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-18 17:28 . 2009-02-28 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-18 16:39 . 2009-09-17 15:42 49416 ----a-w- c:\documents and settings\jkwtest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-18 16:39 . 2009-09-18 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-09-18 16:38 . 2009-09-18 16:38 0 ----a-w- c:\windows\ativpsrm.bin
2009-09-17 16:05 . 2009-07-27 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 15:43 . 2009-09-17 15:43 -------- d-----w- c:\documents and settings\jkwtest\Application Data\ATI
2009-09-17 15:29 . 2009-01-09 14:57 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 19:49 . 2009-03-05 02:28 -------- d-----w- c:\program files\DOSBox-0.72
2009-09-16 19:32 . 2009-02-27 23:09 -------- d-----w- c:\program files\Lavasoft
2009-09-16 17:56 . 2009-09-16 19:56 3550592 ----a-w- c:\windows\system32\procexp.exe
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 21:13 . 2009-08-20 21:13 0 ----a-w- c:\windows\popcreg.dat
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-04-30 00:07 . 2009-09-18 18:26 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-12_19.17.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-28 12:00 . 2009-11-12 19:22 671058 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-11-12 19:08 671058 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2009-11-12 19:22 156034 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2009-11-12 19:08 156034 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 1 (0x1)
"MaxGPOScriptWait"= 6000 (0x1770)
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/29/2009 7:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/18/2009 1:26 PM 70216]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/27/2009 2:26 AM 202584]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/22/2008 10:23 AM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [4/22/2008 10:05 AM 47616]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 watcher;watcher;\??\c:\windows\system32\drivers\watcher.sys --> c:\windows\system32\drivers\watcher.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/18/2009 1:26 PM 65224]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [3/17/2009 12:52 PM 58240]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [9/10/2009 8:09 AM 33024]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [9/10/2009 8:09 AM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [9/10/2009 8:09 AM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [9/10/2009 8:09 AM 59904]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [12/4/2006 3:13 PM 292384]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = https://inside.yimaine.org/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Handler: qpic - {F20816C2-B39E-47c5-95A4-94A5E6D172C7} - c:\progra~1\QUESTS~1\PERFOR~1\Common\QUESTA~1\QPic.dll
FF - ProfilePath - c:\documents and settings\mfiore\Application Data\Mozilla\Firefox\Profiles\1xacjblb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\mfiore\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://www.pardus.at http://pardus.at http://forum.pardus.at http://chat.pardus.at http://portal.pardus.at http://orion.pardus.at http://artemis.pardus.at http://pegasus.pardus.at
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 15:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1088)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-11-12 15:27
ComboFix-quarantined-files.txt 2009-11-12 20:26
ComboFix2.txt 2009-11-12 19:20

Pre-Run: 53,890,961,408 bytes free
Post-Run: 53,869,457,408 bytes free

- - End Of File - - BA04C03D8380ED1FD32998EDA2FFA002

#15 mfiore

mfiore
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 November 2009 - 03:30 PM

DDS Attach.txt
********************************************
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/2/2009 12:38:16 PM
System Uptime: 11/12/2009 2:02:46 PM (1 hours ago)

Motherboard: Hewlett-Packard | | 30C5
Processor: Intel® Core™2 Duo CPU T7300 @ 2.00GHz | U10 | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 100 GiB total, 50.204 GiB free.
D: is CDROM (UDF)
E: is FIXED (NTFS) - 49 GiB total, 37.69 GiB free.
G: is NetworkDisk (NTFS) - 136 GiB total, 59.233 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/26/2009 9:42:57 PM - System Checkpoint
RP2: 10/28/2009 9:00:58 AM - System Checkpoint
RP3: 10/29/2009 11:14:41 AM - System Checkpoint
RP4: 10/30/2009 11:40:01 AM - System Checkpoint
RP5: 11/2/2009 6:10:14 AM - Software Distribution Service 3.0
RP6: 11/3/2009 8:10:07 AM - Removed Puzzle Quest Demo
RP7: 11/3/2009 8:11:48 AM - Removed Qexplain2full
RP8: 11/3/2009 8:15:38 AM - Removed SQL SPY 6
RP9: 11/3/2009 8:16:14 AM - Removed Safari
RP10: 11/3/2009 10:29:57 AM - Software Distribution Service 3.0
RP11: 11/3/2009 11:36:27 AM - Software Distribution Service 3.0
RP12: 11/4/2009 12:25:56 PM - Installed Steam
RP13: 11/4/2009 1:32:35 PM - Installed DirectX
RP14: 11/4/2009 2:43:39 PM - Removed Steam
RP15: 11/5/2009 12:18:31 PM - Software Distribution Service 3.0
RP16: 11/6/2009 1:00:38 PM - System Checkpoint
RP17: 11/7/2009 8:38:09 AM - Software Distribution Service 3.0
RP18: 11/8/2009 9:06:36 AM - Software Distribution Service 3.0
RP19: 11/9/2009 10:19:06 AM - System Checkpoint
RP20: 11/10/2009 5:06:47 AM - Software Distribution Service 3.0
RP21: 11/11/2009 7:26:22 AM - System Checkpoint
RP22: 11/12/2009 5:56:46 AM - Installed Java™ 6 Update 17

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
ATI Catalyst Control Center
ATI Display Driver
Auctionpay Event Software 4.10
Audacity 1.2.6
AutoUpdate
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CodeSite 3.0.1 Client Tools
CPM and DDM
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EVE Online (remove only)
EVEMon
EvolvCS Front Desk Scheduler v2.4
GDR 4053 for SQL Server Analysis Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Integration Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Notification Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
HelpSTAR 9.0 MSDE Windows Client
HelpSTAR Windows Client
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP 3D DriveGuard
HP BatteryCheck 1.00 A7
HP Quick Launch Buttons 6.20 G1
Intel® PRO Network Connections Drivers
InterActual Player
iTunes
Java™ 6 Update 17
Knowledge Xpert for SQL Server V3.2.1
LAME v3.98.2 for Audacity
Malwarebytes' Anti-Malware
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2003 Web Components
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Rise Of Nations
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English) (September 2007)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Notification Services
Microsoft SQL Server 2005 Performance Dashboard Reports
Microsoft SQL Server 2005 Tools
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server 2008 Report Builder 2.0
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Move Media Player
Mozilla Firefox (3.0.15)
MSDN Library for Visual Studio 2005
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
MSXML4 Parser
Octoshape add-in for Adobe Flash Player
OpenAL
PANTECH PC Card Software
PANTECH UM175 Driver
Quest Installer
QuickTime
RICOH R5C853 Driver Ver.1.00.02
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB971023)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB971090)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB973673)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sins of a Solar Empire
Skins
Soft Data Fax Modem with SmartCP
SoundMAX
Spybot - Search & Destroy
SQL Server System CLR Types
SQLXML4
Synaptics Pointing Device Driver
Task Coach 0.72.9
TIER Search Utility
Transcription Import Utility
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Sharepoint Designer 2007 Help (KB963675)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB974810)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
VGA USB Camera
VLC media player 1.0.0
VZAccess Manager
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows PowerShell™ 1.0 MUI pack
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

11/6/2009 5:36:54 PM, error: Service Control Manager [7011] - Timeout (60000 milliseconds) waiting for a transaction response from the W32Time service.
11/5/2009 5:56:39 AM, error: NETLOGON [5719] - No Domain Controller is available for domain YA due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
11/5/2009 12:22:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd

==== End Of File ===========================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users