Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Machine - infected copy of atapi.sys found by Combofix


  • This topic is locked This topic is locked
3 replies to this topic

#1 ptwood

ptwood

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 03 December 2009 - 07:51 AM

WinXP Service Pack 3 Dell m4300 machine.

Last week, let wife use machine, surfed to billboard.com and machine was infected with something.

Could not open Task Manager among other things.

Shut down, restarted, on restart, logged in to different local admin user and deleted all temp files from profiles. That stabalized machine.

Updated McCafee and Ad-Aware. Scanned, no major issues uncovered first day.

2nd day, same thing, updated McCafee, Ad-Aware, scanned. McCafee removed a virus, cannot recall which.

Machine seemed stable.

This week, started getting hijacked links in Firefox and IE. Also locked pop-ups with 'x' and 'cancel' loopping back to advertisement pop-ups.

Also, evertime opened a new tab in firefox, a new firefox window would pop-up with a dozen or so tabs open to local files.

I was in an urgent situation, so I ran Combofix, it found some stuff and removed it. The entire Combofix.log will be pasted below. Note, I could not figure out how to turn off McCafee on-access scan, so ran it with it on, and I could not download the 'update' for combo-fix, so it ran as I downloaded it.

The machine is now stable, but I would like expert help making sure it is clean.

After the Combofix log below, I have posted the DDS.scr and the RootRepeal.exe logs from this morning.

Please let me know.

Thank you, Pete.

ComboFix 09-12-02.01 - pwood 12/02/2009 10:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3072 [GMT -6:00]
Running from: d:\downloads\cf\cfo.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\winnt\system32\7EDD963DF0.dll
c:\winnt\system32\clrviddc.dll
d:\user profiles\All Users\Start Menu\Windows Live Messenger .lnk

Infected copy of c:\winnt\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_r_server


((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 14:02 . 2009-12-02 14:02 -------- dc-h--w- d:\user profiles\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-01 23:53 . 2009-12-01 23:53 -------- d-----w- d:\user profiles\pwood\Local Settings\Application Data\Mozilla
2009-12-01 23:52 . 2009-12-01 23:52 -------- d-sh--w- d:\user profiles\pwood\PrivacIE
2009-12-01 23:48 . 2009-12-01 23:48 -------- d-----w- d:\user profiles\pwood\Application Data\Webroot
2009-12-01 23:27 . 2009-12-01 23:27 -------- d-----w- c:\program files\MSSOAP
2009-12-01 23:26 . 2009-12-01 23:26 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\Webroot
2009-12-01 23:26 . 2009-12-01 23:26 -------- d-----w- d:\user profiles\All Users\Application Data\Webroot
2009-12-01 23:26 . 2009-12-01 23:26 -------- d-----w- c:\program files\Webroot
2009-12-01 23:26 . 2009-11-06 21:19 1563008 ----a-w- c:\winnt\WRSetup.dll
2009-12-01 23:26 . 2009-12-02 14:38 164 ----a-w- c:\winnt\install.dat
2009-12-01 23:03 . 2009-12-01 23:08 -------- d-----w- d:\user profiles\All Users\Application Data\Spybot - Search & Destroy
2009-12-01 23:03 . 2009-12-01 23:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 21:16 . 2009-11-30 21:16 -------- d-sh--w- d:\user profiles\pwood.PTCNET\IECompatCache
2009-11-30 11:48 . 2009-11-30 11:48 -------- d-----w- C:\QUARANTINE
2009-11-29 02:51 . 2009-11-29 02:51 -------- d-sh--w- c:\winnt\system32\config\systemprofile\IETldCache
2009-11-22 23:51 . 2009-11-22 23:51 -------- d-----w- c:\winnt\system32\config\systemprofile\Application Data\Intel
2009-11-22 23:51 . 2009-11-22 23:51 -------- d-----w- d:\user profiles\pwood\Application Data\Intel
2009-11-22 23:51 . 2009-11-22 23:51 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\Intel
2009-11-22 23:51 . 2009-11-22 23:51 -------- d-----w- d:\user profiles\NetworkService\Application Data\Intel
2009-11-22 23:51 . 2009-11-22 23:51 -------- d-----w- d:\user profiles\LocalService\Application Data\Intel
2009-11-22 23:51 . 2009-11-22 23:51 -------- d-----w- d:\user profiles\Default User\Application Data\Intel
2009-11-22 23:51 . 2009-11-22 23:51 -------- d-----w- d:\user profiles\Administrator\Application Data\Intel
2009-11-22 23:50 . 2009-05-29 04:23 4203392 ----a-w- c:\winnt\system32\drivers\NETw5x32.sys
2009-11-22 23:50 . 2008-06-20 16:33 2756608 ----a-w- c:\winnt\system32\NETw5r32.dll
2009-11-22 23:50 . 2008-06-20 16:32 663552 ----a-w- c:\winnt\system32\NETw5c32.dll
2009-11-22 23:50 . 2009-11-22 23:50 -------- d-----w- c:\program files\Common Files\Intel
2009-11-22 23:50 . 2009-11-22 23:50 -------- d-----w- d:\user profiles\All Users\Application Data\Intel
2009-11-22 23:50 . 2009-11-22 23:50 -------- d-----w- c:\program files\Intel
2009-11-18 13:47 . 2009-11-18 13:47 -------- d-----w- d:\user profiles\pwood\Application Data\AT&T
2009-11-13 16:00 . 2009-11-13 16:00 -------- d-----w- c:\winnt\system32\LogFiles
2009-11-13 05:07 . 2009-11-13 05:07 -------- d-----w- c:\program files\Linksys
2009-11-13 05:01 . 2009-11-13 05:01 -------- d-----w- c:\program files\WebEx
2009-11-13 05:00 . 2009-04-07 21:33 23984 ----a-w- c:\winnt\system32\drivers\pnarp.sys
2009-11-13 05:00 . 2009-04-07 21:33 25264 ----a-w- c:\winnt\system32\drivers\purendis.sys
2009-11-13 05:00 . 2009-11-13 05:00 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-11-13 04:59 . 2009-11-13 05:00 -------- d-----w- d:\user profiles\All Users\Application Data\Pure Networks
2009-11-12 16:28 . 2009-11-12 16:28 -------- d-----w- c:\program files\AT&T
2009-11-12 15:34 . 2009-11-12 15:34 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\AT&T
2009-11-07 05:42 . 2009-11-07 05:42 -------- d-----w- d:\user profiles\pwood\Application Data\Subversion
2009-11-07 05:40 . 2009-12-01 23:46 -------- d-----w- d:\user profiles\pwood\Local Settings\Application Data\TSVNCache
2009-11-07 05:40 . 2009-11-07 05:40 -------- d-sh--w- d:\user profiles\pwood\IETldCache
2009-11-06 18:00 . 2009-11-06 18:00 23152 ----a-w- c:\winnt\system32\drivers\sshrmd.sys
2009-11-06 18:00 . 2009-11-06 18:00 176752 ----a-w- c:\winnt\system32\drivers\ssidrv.sys
2009-11-06 18:00 . 2009-11-06 18:00 29808 ----a-w- c:\winnt\system32\drivers\ssfs0bbc.sys
2009-11-05 20:18 . 2009-11-05 20:18 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\Cisco
2009-11-05 20:17 . 2009-11-05 20:17 -------- d-----w- d:\user profiles\All Users\Application Data\Cisco
2009-11-05 20:17 . 2009-11-05 20:17 -------- d-----w- c:\program files\Cisco
2009-11-04 19:33 . 2009-11-04 19:33 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\DJJava
2009-11-04 19:33 . 2009-11-04 19:33 -------- d-----w- d:\user profiles\All Users\Application Data\Protexis
2009-11-04 19:32 . 2009-11-04 19:32 -------- d-----w- c:\program files\decomp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 16:15 . 2008-08-15 15:52 -------- d-----w- d:\user profiles\LocalService\Application Data\VMware
2009-12-02 16:15 . 2008-08-15 15:51 -------- d-----w- d:\user profiles\All Users\Application Data\VMware
2009-12-01 22:46 . 2008-08-14 15:36 168603 ----a-w- c:\winnt\system32\nvModes.dat
2009-12-01 08:47 . 2008-11-25 18:27 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-19 01:33 . 2008-11-18 12:51 256 ----a-w- c:\winnt\system32\pool.bin
2009-11-18 02:29 . 2008-08-14 15:50 -------- d-----w- c:\program files\Microsoft System Center Online Client
2009-11-13 16:05 . 2008-08-15 15:29 92552 ----a-w- d:\user profiles\pwood.PTCNET\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-13 05:01 . 2009-11-13 05:01 8892928 ----a-w- d:\user profiles\All Users\Application Data\atscie.msi
2009-11-13 04:18 . 2008-08-14 15:55 -------- d-----w- d:\user profiles\All Users\Application Data\Microsoft Help
2009-11-12 16:28 . 2009-05-07 02:18 -------- d-----w- d:\user profiles\All Users\Application Data\AT&T
2009-11-12 15:39 . 2008-08-15 15:47 -------- d-----w- c:\program files\Nortel Networks
2009-11-08 04:56 . 2008-08-18 17:51 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\AdobeUM
2009-10-31 22:43 . 2009-10-31 22:43 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\Amazon
2009-10-31 22:43 . 2009-10-31 22:43 -------- d-----w- c:\program files\Amazon
2009-10-27 20:52 . 2009-10-27 20:52 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-10-27 20:52 . 2009-10-27 20:52 -------- d-----w- c:\program files\Cisco Systems
2009-10-27 20:50 . 2009-10-27 20:50 -------- d-----w- c:\program files\vpnmsfc
2009-10-20 19:05 . 2009-10-20 19:04 -------- d-----w- c:\program files\ProcessExplorer
2009-10-20 17:42 . 2009-10-19 16:29 -------- d-----w- c:\program files\BitComet
2009-10-13 20:12 . 2009-10-13 20:03 -------- d-----w- c:\program files\proeWildfire 4.0
2009-10-13 20:01 . 2009-10-13 19:59 -------- d-----w- c:\program files\flexnet
2009-10-12 20:09 . 2008-09-11 03:10 -------- d-----w- d:\user profiles\pwood.PTCNET\Application Data\PTC
2009-10-12 19:57 . 2009-10-12 19:57 -------- d-----w- d:\user profiles\All Users\Application Data\Macrovision
2009-10-04 05:28 . 2009-10-04 05:28 0 ---ha-w- c:\winnt\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-10-04 05:28 . 2009-10-04 05:28 -------- d-----w- c:\program files\DellTPad
2009-10-04 05:26 . 2008-08-17 13:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-01 14:06 . 2008-08-14 14:32 86315 ----a-w- c:\winnt\pchealth\helpctr\OfflineCache\index.dat
2009-09-30 21:39 . 2009-04-05 22:47 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2009-09-23 12:55 . 2009-04-05 22:36 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-09-20 20:43 . 2008-08-27 20:25 81736 ----a-w- c:\winnt\system32\lmdimon8.dll
2009-09-11 14:18 . 1980-01-01 00:00 136192 ----a-w- c:\winnt\system32\msv1_0.dll
2009-09-04 21:03 . 1980-01-01 00:00 58880 ----a-w- c:\winnt\system32\msasn1.dll
2009-10-12 22:30 . 2009-10-12 22:30 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-10-12 22:30 . 2009-10-12 22:30 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-10-12 22:30 . 2009-10-12 22:30 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\winnt\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\winnt\system32\dumprep 0 -u" [X]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-29 96816]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-07 86016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-05-21 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-05-21 1202448]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-07 13529088]
"NVHotkey"="nvHotkey.dll" - c:\winnt\system32\nvhotkey.dll [2008-05-07 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2008-08-15 4167376]

d:\user profiles\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\winnt\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-10-27 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\D:^User Profiles^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=d:\user profiles\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\winnt\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\D:^User Profiles^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\user profiles\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\program files\\nortel networks\\extranet.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\PTC\\ProductView Client\\i486_nt\\obj\\PVExchangeServer.exe"=
"c:\\Program Files\\PTC\\ProductView Client\\i486_nt\\obj\\productview.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\POWERPNT.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD Cinema\\PowerDVDCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"445:TCP"= 445:TCP:File sharing and Ping(TCP 445)
"139:TCP"= 139:TCP:File sharing and Ping(TCP 139)
"137:UDP"= 137:UDP:File sharing and Ping(UDP 137)
"138:UDP"= 138:UDP:File sharing and Ping(UDP 138)
"4899:TCP"= 4899:TCP:Radmin(TCP 4899)
"6129:TCP"= 6129:TCP:Dameware(TCP 6129)
"6312:TCP"= 6312:TCP:Dameware(TCP 6312)
"5900:TCP"= 5900:TCP:VNC Viewer(TCP 5900)
"6667:TCP"= 6667:TCP:Trillian(TCP 6667)
"21:TCP"= 21:TCP:Exceed7/8(TCP 21)
"7788:TCP"= 7788:TCP:ProE WF(TCP 7788)
"443:TCP"= 443:TCP:Windchill6/7(TCP 443)
"5000:TCP"= 5000:TCP:Windchill6/7(TCP 5000)
"5001:TCP"= 5001:TCP:Windchill6/7(TCP 5001)
"3000:TCP"= 3000:TCP:Windchill6/7(TCP 3000)
"4000:TCP"= 4000:TCP:Windchill6/7(TCP 4000)
"1521:TCP"= 1521:TCP:Windchill6/7(TCP 1521)
"18001:TCP"= 18001:TCP:Windchill6/7(TCP 18001)
"18002:TCP"= 18002:TCP:Windchill6/7(TCP 18002)
"8006:TCP"= 8006:TCP:Windchill7/8(TCP 8006)
"8010:TCP"= 8010:TCP:Windchill7/8(TCP 8010)
"8009:TCP"= 8009:TCP:Windchill7/8(TCP 8009)
"2030:TCP"= 2030:TCP:Windchill7/8(TCP 2030)
"389:TCP"= 389:TCP:Windchill7/8Aphelion(TCP 389)

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [4/5/2009 4:36 PM 64288]
R0 ssfs0bbc;ssfs0bbc;c:\winnt\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/03 03:16];c:\program files\CyberLink\PowerDVD9\000.fcl [5/7/2009 8:05 PM 87536]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\PhotoshopElements70\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [5/4/2005 2:35 PM 217268]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [8/25/2004 11:05 AM 245940]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\Radstgms.exe [10/22/2004 2:53 PM 327860]
R2 vmci;VMware vmci;c:\winnt\system32\drivers\vmci.sys [10/28/2008 10:08 PM 54960]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/3/2009 2:39 PM 427192]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [8/17/2008 7:31 AM 9817]
R3 RadiaMsi;RadiaMsi;c:\winnt\system32\drivers\radiamsi.sys [9/10/2004 1:45 PM 21504]
S2 gupdate1c9de1d99af0410;Google Update Service (gupdate1c9de1d99af0410);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2009 10:18 AM 133104]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [8/17/2008 7:31 AM 117760]
S3 AphAdmin;Aphelion Administration;d:\ptc\windchill90\aphelion\system\MHAdminServerMgr.exe [9/10/2008 9:12 PM 118720]
S3 AphDrive;Aphelion Drive Mapping;d:\ptc\windchill90\aphelion\system\MHMapDriveServerMgr.exe [9/10/2008 9:12 PM 117880]
S3 AphServices;Aphelion Services;d:\ptc\windchill90\aphelion\system\MHServerMgr.exe [9/10/2008 9:12 PM 162464]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [7/15/2009 11:46 AM 121416]
S3 Cognos 8;Cognos 8;d:\ptc\windchill90\cognos\bin\cogbootstrapservice.exe [9/10/2008 9:50 PM 147456]
S3 DXEC01;DXEC01;c:\winnt\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [11/6/2007 2:22 PM 34064]
S3 OracleDBConsolewind;OracleDBConsolewind;d:\oracle\product\10.2.0\db_1\BIN\nmesrvc.exe [9/9/2008 2:00 PM 24064]
S3 OracleOraDb10g_home1CMAdmin;OracleOraDb10g_home1CMAdmin;d:\oracle\product\10.2.0\db_1\BIN\CMADMIN.EXE [9/9/2008 2:00 PM 286720]
S3 OracleOraDb10g_home1CMan;OracleOraDb10g_home1CMan;d:\oracle\product\10.2.0\db_1\BIN\CMGW.EXE [9/9/2008 2:00 PM 69632]
S3 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;d:\oracle\product\10.2.0\db_1\BIN\TNSLSNR --> d:\oracle\product\10.2.0\db_1\BIN\TNSLSNR [?]
S3 OracleServiceWIND;OracleServiceWIND;d:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE WIND --> d:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE WIND [?]
S3 tomcat;tomcat;d:\ptc\windchill90\tomcat\bin\TomcatService.exe [9/10/2008 9:11 PM 98304]
S3 Windchill;Windchill;d:\ptc\windchill90\windchill\opt\ntservice\WindchillService.exe [9/10/2008 10:35 PM 98304]
S4 OracleJobSchedulerWIND;OracleJobSchedulerWIND;d:\oracle\product\10.2.0\db_1\Bin\extjob.exe WIND --> d:\oracle\product\10.2.0\db_1\Bin\extjob.exe WIND [?]
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 14:03]

2009-10-23 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-12-02 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-20 16:17]

2009-12-02 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 16:18]

2009-12-02 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 16:18]

2009-12-02 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-412668190-725345543-90372Core.job
- d:\user profiles\pwood.PTCNET\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-02 19:38]

2009-12-02 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-412668190-725345543-90372UA.job
- d:\user profiles\pwood.PTCNET\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-02 19:38]

2009-11-12 c:\winnt\Tasks\SCOnline-Full-{89C1481E-9333-4a66-9014-18C9F60CA82D}.job
- c:\program files\Microsoft System Center Online Client\SCOnlineClient.exe [2009-01-01 01:49]

2009-12-02 c:\winnt\Tasks\SCOnline-Heartbeat-{88214F7F-C787-4246-8057-FF74EB808500}.job
- c:\program files\Microsoft System Center Online Client\SCOnlineClient.exe [2009-01-01 01:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
LSP: bmnet.dll
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: cycling.tv\www
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.ptc.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - d:\user profiles\pwood.PTCNET\Application Data\Mozilla\Firefox\Profiles\h0u8cu9v.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\PTC\ProductView Client\i486_nt\obj\np6_pvapplite9.dll
FF - plugin: c:\program files\Real\RealOne Enterprise Desktop\Netscape6\nppl3260.dll
FF - plugin: d:\user profiles\pwood.PTCNET\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
AddRemove-Ad-Aware - d:\user profiles\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\winnt\system32\nvuninst.exe UninstallGUI
AddRemove-RealOne Enterprise Desktop 6.0 - c:\program files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealOneEnt|6.0
AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\DellTPad\Uninstap.exe ADDREMOVE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="d:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(312)
c:\winnt\system32\relog_ap.dll
c:\winnt\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(3560)
c:\winnt\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\winnt\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\winnt\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\winnt\system32\nvsvc32.exe
c:\winnt\system32\HPZipm12.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\vmnat.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\winnt\system32\vmnetdhcp.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\winnt\system32\RUNDLL32.EXE
c:\winnt\system32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\flexnet\i486_nt\obj\ptc_d.exe
.
**************************************************************************
.
Completion time: 2009-12-02 10:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-02 16:20

Pre-Run: 5,495,762,944 bytes free
Post-Run: 5,296,967,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CEE27F02AEC9E04C9A473ABD8A264925


DDS.scr:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/14/2008 9:34:18 AM
System Uptime: 12/3/2009 6:05:21 AM (0 hours ago)

Motherboard: Dell Inc. | | 0UY141
Processor: Intel Pentium III Xeon processor | Microprocessor | 2592/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 30 GiB total, 4.892 GiB free.
D: is FIXED (NTFS) - 82 GiB total, 42.033 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\389969C1484FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\389969C1484FC000
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0001
Service: vpnva

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter

==== System Restore Points ===================

RP297: 10/15/2009 3:49:29 PM - System Checkpoint
RP298: 10/17/2009 9:53:53 AM - System Checkpoint
RP299: 10/19/2009 10:08:42 AM - System Checkpoint
RP300: 10/21/2009 9:04:36 AM - System Checkpoint
RP301: 10/22/2009 4:08:28 PM - System Checkpoint
RP302: 10/26/2009 6:12:14 AM - System Checkpoint
RP303: 10/27/2009 11:33:10 AM - System Checkpoint
RP304: 10/27/2009 3:52:28 PM - Installed Cisco Systems VPN Client 5.0.04.0300
RP305: 10/27/2009 4:44:39 PM - Configured Microsoft Office Professional Plus 2007
RP306: 10/28/2009 11:10:48 AM - Removed Microsoft Office Live Meeting 2007
RP307: 10/28/2009 11:11:09 AM - Installed Microsoft Office Live Meeting 2007
RP308: 10/29/2009 11:12:10 AM - System Checkpoint
RP309: 11/2/2009 5:52:19 PM - System Checkpoint
RP310: 11/4/2009 12:05:48 PM - System Checkpoint
RP311: 11/4/2009 2:32:52 PM - Installed DJ Java Decompiler v.3.11.11.95
RP312: 11/4/2009 11:15:11 PM - Software Distribution Service 3.0
RP313: 11/5/2009 3:17:52 PM - Installed Cisco AnyConnect VPN Client
RP314: 11/6/2009 5:44:54 PM - System Checkpoint
RP315: 11/8/2009 1:55:27 AM - System Checkpoint
RP316: 11/12/2009 8:11:49 AM - System Checkpoint
RP317: 11/12/2009 9:02:47 AM - Software Distribution Service 3.0
RP318: 11/12/2009 10:27:19 AM - Removed AT&T Communication Manager.
RP319: 11/12/2009 10:28:05 AM - Installed AT&T Communication Manager.
RP320: 11/12/2009 10:18:23 PM - Software Distribution Service 3.0
RP321: 11/15/2009 10:29:24 AM - System Checkpoint
RP322: 11/16/2009 11:34:02 PM - System Checkpoint
RP323: 11/18/2009 10:18:39 AM - System Checkpoint
RP324: 11/19/2009 11:49:09 AM - System Checkpoint
RP325: 11/22/2009 5:49:55 PM - Installed Intel® PROSet/Wireless WiFi Software.
RP326: 11/24/2009 8:35:43 AM - System Checkpoint
RP327: 11/27/2009 11:48:18 AM - Software Distribution Service 3.0
RP328: 11/28/2009 5:32:38 PM - System Checkpoint
RP329: 11/28/2009 9:05:08 PM - Removed Bonjour
RP330: 11/30/2009 6:25:39 AM - System Checkpoint
RP331: 12/1/2009 6:54:04 AM - System Checkpoint
RP332: 12/2/2009 11:35:47 AM - Installed Windows Defender

==== Installed Programs ======================


2600
2600_Help
2600Trb
7-Zip 4.65
Acronis True Image Home
Ad-Aware
Adobe Acrobat 6.0.1 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Premiere Elements 7.0
Adobe Premiere Elements 7.0 Templates
Adobe Reader 8.1.0
Adobe Shockwave Player 11.5
Agent Ransack Version 1.7.3
AI RoboForm (All Users)
AiO_Scan
AiOSoftware
Amazon MP3 Downloader 1.0.5
AnswerWorks 5.0 English Runtime
Aphelion
Apple Mobile Device Support
Apple Software Update
AT&T Communication Manager
BlackBerry Desktop Software 4.2.2
BufferChm
Cisco AnyConnect VPN Client
Cisco Systems VPN Client 5.0.04.0300
Citrix ICA Web Client
Conexant HDA D330 MDC V.92 Modem
CyberLink PowerDVD 9
Dell Driver Download Manager
Dell Driver Download Manager - 1
Destinations
Director
DJ Java Decompiler v.3.11.11.95
Driver Installer
Fax
FileZilla (remove only)
FreeMind
Google Chrome
Google Earth
Google Earth Plug-in
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Image Zone 4.7
HP Image Zone Express
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
Intel PROSet Wireless
Intel® PROSet/Wireless WiFi Software
IntelliSonic Speech Enhancement
iTunes
J2SE Development Kit 5.0 Update 16
J2SE Runtime Environment 5.0 Update 16
Juniper Networks Network Connect 6.4.0
Juniper Networks Setup Client
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2005
Microsoft Office Excel 2007 Get Started Tab
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Live Meeting Add-in Pack
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint 2007 Get Started Tab
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Project Professional 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word 2007 Get Started Tab
Microsoft Office Word MUI (English) 2007
Microsoft Project 2000
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft System Center Online Client
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
Mozilla Thunderbird (2.0.0.23)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6 Service Pack 2 (KB954459)
Network Magic
Nokia Connectivity Adapter Cable DKU-5
OGA Notifier 2.0.0048.0
PALGINA
PDFCreator
PhotoshopdotcomInspirationBrowser
Picasa 3
PowerDVD 5.1
Pro/ENGINEER Release Wildfire 4.0 Datecode M020
ProductContext
ProductView Client 9.1
PTC License Server Release Wildfire 4.0 Datecode M020
PTC VPN Contivity
Pure Networks Platform
QFolder
Quicken 2008
QuickTime
Radia Client
Readme
RightFax Product Suite
Roxio Media Manager
SAPGUI for Java 7.10 rev 5
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SigmaTel Audio
SmartSound Quicktracks for Premiere Elements
SnagIt 7
Spy Sweeper Core
Spybot - Search & Destroy
TextPad 5
TortoiseSVN 1.6.1.16129 (32 bit)
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Outlook 2007 Junk Email Filter (kb975960)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VMware Workstation
WebEx
WebEx Support Manager for Internet Explorer
WebFldrs XP
WebReg
Winamp
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Firefox Plugin
Windows Search 4.0
Windows XP Service Pack 3
WinPcap 4.0.2
WinRAR archiver
WinZip 11.1
Wireshark 1.0.0
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

12/2/2009 8:58:17 AM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 8:58:08 AM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 8:57:48 AM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
12/2/2009 8:11:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfetdik MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tcpipBM WS2IFSL
12/2/2009 8:11:27 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/2/2009 8:11:27 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/2/2009 8:11:27 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/2/2009 8:11:27 PM, error: Service Control Manager [7001] - The Cisco AnyConnect VPN Agent service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/2/2009 11:19:10 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
12/2/2009 10:15:38 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
12/1/2009 5:42:07 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
12/1/2009 5:39:51 PM, error: Service Control Manager [7034] - The Pure Networks Platform Service service terminated unexpectedly. It has done this 1 time(s).
12/1/2009 5:38:53 PM, error: Service Control Manager [7022] - The Pure Networks Platform Service service hung on starting.
12/1/2009 4:50:10 PM, error: Dhcp [1002] - The IP address lease 132.253.44.114 for the Network Card with network address 00FFB078B588 has been denied by the DHCP server 132.253.44.15 (The DHCP Server sent a DHCPNACK message).
12/1/2009 4:45:46 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SharedAccess service.
12/1/2009 4:34:27 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
12/1/2009 4:33:46 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
12/1/2009 4:32:28 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
12/1/2009 4:31:54 PM, error: Service Control Manager [7034] - The VMware DHCP Service service terminated unexpectedly. It has done this 1 time(s).
12/1/2009 4:30:32 PM, error: Service Control Manager [7034] - The VMware NAT Service service terminated unexpectedly. It has done this 1 time(s).
11/30/2009 5:26:21 PM, error: Kerberos [4] - The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/aa-printserver.ptcnet.ptc.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (PTCNET.PTC.COM), and the client realm. Please contact your system administrator.
11/30/2009 2:41:30 AM, error: Dhcp [1002] - The IP address lease 10.197.2.126 for the Network Card with network address 00FF308CE68A has been denied by the DHCP server 132.253.44.15 (The DHCP Server sent a DHCPNACK message).
11/29/2009 9:46:20 AM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
11/29/2009 8:30:59 AM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
11/29/2009 8:30:58 AM, error: Service Control Manager [7000] - The Nortel Extranet Access Protocol service failed to start due to the following error: The system cannot find the file specified.
11/29/2009 8:30:48 AM, error: NETLOGON [5719] - No Domain Controller is available for domain PTCNET due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
11/28/2009 9:02:06 PM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
11/28/2009 9:01:50 PM, error: Service Control Manager [7034] - The Smart Card service terminated unexpectedly. It has done this 1 time(s).
11/28/2009 9:01:40 PM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless WiFi Service service terminated unexpectedly. It has done this 1 time(s).
11/28/2009 9:00:35 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
11/28/2009 11:10:16 PM, error: Service Control Manager [7031] - The Juniper Network Connect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/28/2009 11:09:12 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V7 service terminated unexpectedly. It has done this 1 time(s).
11/28/2009 11:08:46 PM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
11/28/2009 11:07:01 PM, error: Service Control Manager [7034] - The VMware Authorization Service service terminated unexpectedly. It has done this 1 time(s).
11/27/2009 4:41:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001F3C8F7F7D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/26/2009 8:47:13 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.

==== End Of File ===========================


RootRepeal.exe:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/03 06:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xB4E5B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINNT\system32\config\SECURITY.bak
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b116b70

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba93887e

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8b11f1c8

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8b11f150

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8b116e40

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8b1e3208

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8b2380a8

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8b116be8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b116a80

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8b1f7140

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8b116cd8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8b1c0208

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8b116f30

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8b116d50

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba938bfe

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8b116eb8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8b116c60

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8b116fa8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8b116dc8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b116af8

Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: MsMpEng.exe (PID: 816) Address: 0xe3714020 Size: -

Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 856) Address: 0xe2e95020 Size: -

Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 856) Address: 0xe1166020 Size: -

Object: Hidden Handle [Index: 4100, Type: UnknownType]
Process: svchost.exe (PID: 856) Address: 0xe119a818 Size: -

Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: AAWService.exe (PID: 1160) Address: 0xe3c04020 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x8b0ca9f0 Size: 1083

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8b138488 Size: 2936

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8b1394d0 Size: 108

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8b13dfa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8b0e3cd0 Size: 710

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b0e3238 Size: 474

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b0e6338 Size: 2080

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b0dba10 Size: 1521

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8b1332e0 Size: 1258

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b0dabc0 Size: 1089

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ac1de20 Size: 481

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ac78f20 Size: 225

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8af3b478 Size: 2952

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8af7f170 Size: 739

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae8aad0 Size: 1328

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b13b5f0 Size: 1058

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8af95938 Size: 286

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ad83aa0 Size: 1380

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8b0c1b60 Size: 663

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a8d1c30 Size: 976

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a8e7210 Size: 1118

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a896b18 Size: 338

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8abd2aa8 Size: 1369

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b134388 Size: 1045

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a8e7158 Size: 1302

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8abad6f0 Size: 2321

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8b0dadd8 Size: 553

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x8a8b4150 Size: 935

==EOF==

/Pete

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:28 AM

Posted 16 December 2009 - 02:15 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 ptwood

ptwood
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 16 December 2009 - 02:58 PM

Hi suebaby - my machine has been stable for the duration and I have updated and activated Windows Defender and McCafee Anti-virus and run them both complete, several times. Today, I did a quick Windows Defender and McCafee just for memory and rootkits. My Window Firewall is on as well and I am not getting any of the aberant behaviors I previously had. Everything seems stable. I have not posted the Hijack log anywhere else. I think I am clean. Thank you for coming by and checking. I would move to more urgent threads and let this one go. Thank you very much. /Pete

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:28 AM

Posted 16 December 2009 - 03:18 PM

Thank you for letting me know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users