Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect directrdr.com and no Windows Safe Mode!


  • This topic is locked This topic is locked
11 replies to this topic

#1 mandersen2

mandersen2

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 22 December 2009 - 12:48 AM

This all started 2 months ago with the "Antivirus System Pro" virus. I have sytematically been removing bits and pieces of this through hours of internet searches, numerous anti-virus / anti-malware downloads. The only obvious remnants left is this problem while using internet explorer I will randomly get a new window that will open and the web address will start out www.directrdr.com - then it will change to a random news, advertising or search engine page.
The other symptom is many of the things I have read on the internet ask you to run virus or anti malware software in "safe mode". When I try to do that I get a windows error message on a blue screen that will not allow me to enter safe mode.
I downloaded and ran the DDS tool and the post of that is below. I also tried to create a root repeal log, but I get a series of error messages first saying "cannot read boot sector", then it says "could not read system registry". I have posted that log as well.
Any help you can give will be appreciated. Thank you.


DDS (Ver_09-12-01.01) - NTFSx86
Run by MF5748 at 23:03:51.95 on Mon 12/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2171 [GMT -6:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD SE\5\PDVDServ.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Autonomy\ENTERP~1\AWE.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Documents and Settings\mf5748\Local Settings\Application Data\Autonomy\Enterprise AWE\PDRE\pdre.exe
C:\PROGRA~1\Autonomy\ENTERP~1\SmartFolders\smartfolders.exe
C:\PROGRA~1\Autonomy\ENTERP~1\filescan\filescan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\Documents and Settings\mf5748\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.charter.net/
uDefault_Page_URL = hxxp://home.sandvik.com
mDefault_Page_URL = hxxp://home.sandvik.com
mStart Page = hxxp://home.sandvik.com
uInternet Settings,ProxyServer = www-proxy.sandvik.com:8080
uInternet Settings,ProxyOverride = *.sandvik.com;*.goranssonskaskolan.com;164.4.*;138.103.*;*.dormertools.com;*.prototyp.com;*.titex.com;*.valenite.com;*.walter-ag.de;*.sandvik.ad;<local>
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Enterprise AWE] "c:\progra~1\autonomy\enterp~1\AWELauncher.exe" /check /min
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [nMinderPath] regedit /s c:\windows\system32\nminder_path.reg
mRun: [SGEState] "c:\program files\utimaco\SGEState.vbs"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd se\5\PDVDServ.exe"
mRun: [SgeEcView] "c:\program files\utimaco\safeguard easy\Ecview.exe"
mRun: [EdWizard] "c:\program files\utimaco\safeguard easy\EdWizard.exe" as
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-system: SetVisualStyle =
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office\2003\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: ppeclt - PPEClt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {5F625A6C-2937-4A72-BC93-C186F2FF98A3} - msiexec /fup {5F625A6C-2937-4A72-BC93-C186F2FF98A3} /qb-!
mASetup: {D671062E-44AF-4DC6-AD89-92921D1E1779} - cmd /c reg add HKCU\Software\Lotus\Notes\8.0 /v "NotesIniPath" /d "%USERPROFILE%\Local Settings\Application Data\Lotus\Notes\Data\notes.ini" /f
mASetup: SmartSync_Old_Remove - c:\program files\smartsync pro\Smartsync_UnInstall_Userpart.vbs

============= SERVICES / DRIVERS ===============

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [2008-9-16 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2008-9-16 63488]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-4-29 2235760]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2009-4-23 15360]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-6-18 47504]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]
R2 MSSQL$SANDVIK2005;SQL Server (SANDVIK2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2009-4-29 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-6-18 673872]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2007-7-18 81920]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-4-23 72904]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-4-23 34344]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-4-23 177672]
S2 DVDService;DVDService;c:\program files\spintop\dvdservice\DVDService.exe [2006-12-20 114688]
S3 AddPrinter;AddPrinter;c:\windows\system32\srvany.exe [1997-5-14 13312]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-11-29 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-11-29 8320]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-6-15 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-6-3 174720]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [2009-5-4 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [2009-5-4 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [2009-5-4 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [2009-5-4 5888]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]

=============== Created Last 30 ================

2009-12-15 13:01:50 0 d-----w- c:\program files\CoreInventoryFiles
2009-12-14 14:50:04 0 d-----w- c:\program files\Avery
2009-12-11 22:30:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Lotus
2009-12-11 10:24:28 266752 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-12-11 10:21:33 69632 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-12-11 10:21:33 112128 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-12-01 04:27:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-11-30 14:19:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Nokia
2009-11-30 14:14:22 0 d-----w- c:\windows\SxsCaPendDel
2009-11-29 14:26:19 0 d-----w- c:\program files\common files\PCSuite
2009-11-29 14:26:12 0 d-----w- c:\program files\common files\Nokia
2009-11-29 14:24:08 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-11-29 14:24:08 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-11-29 14:24:08 136704 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2009-11-29 14:24:07 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-11-29 14:24:07 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-11-29 14:24:05 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-11-24 13:30:56 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-11-24 13:30:56 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

==================== Find3M ====================

2009-11-15 02:11:30 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-29 07:45:44 841216 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45:42 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-14 08:58:40 12353 ----a-w- c:\program files\common files\umodupefys.bin
2009-10-14 08:58:39 17400 ----a-w- c:\docume~1\alluse~1\applic~1\fywuneb.bin
2009-10-14 08:58:38 16198 ----a-w- c:\docume~1\alluse~1\applic~1\wohylu.bin
2009-10-14 02:40:00 18214 ----a-w- c:\program files\common files\itocesukus.dl
2009-10-14 02:40:00 17985 ----a-w- c:\windows\esehogexyh.bin
2009-10-14 02:40:00 17215 ----a-w- c:\windows\radyrigajy.dat
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2004-01-29 19:58:22 258048 ----a-w- c:\program files\common files\setacl.exe

============= FINISH: 23:09:46.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 PM

Posted 03 January 2010 - 07:22 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 mandersen2

mandersen2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 03 January 2010 - 12:16 PM

Thank you for taking the time to look into this. I have the two reports from dds below for you to look at. When I tried to run GMER I got mulitiple error messages and it wouldn't complete the scan. I get a message saying "C:\windows\system32\config\system: Access is denied"

Please let me know if you want something else. Thanks again for your time...

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 PM

Posted 03 January 2010 - 01:16 PM

Hi,

Could you post contents of c:\ComboFix.txt file, please?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 mandersen2

mandersen2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 03 January 2010 - 02:22 PM

I downloaded and ran ComboFix a couple days ago while waiting for a reply on my forum posting - I have that text file I can post. I tried running ComboFix today and I get an error message saying "installation failed" and it will not run... so here is the old file.

ComboFix 09-12-26.05 - MF5748 12/27/2009 20:17:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2530 [GMT -6:00]
Running from: c:\documents and settings\mf5748\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Documents\ilap.reg

----- BITS: Possible infected sites -----

hxxp://USDNT002.win.dom.sandvik.com:80
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 01:10 . 2009-12-28 01:10 -------- d-----w- C:\spoolerlogs
2009-12-24 13:54 . 2009-12-24 13:55 -------- d-----w- c:\program files\trend micro
2009-12-24 13:54 . 2009-12-24 13:55 -------- d-----w- C:\rsit
2009-12-22 13:00 . 2009-12-22 13:00 -------- d-----w- c:\program files\CoreInventoryFiles
2009-12-17 21:41 . 2009-12-17 21:41 34304 ----a-r- c:\documents and settings\mf5748\Application Data\Microsoft\Installer\{C4E2CDA2-9DB7-4821-AE58-746E950C1B4F}\IconC4E2CDA2.exe
2009-12-15 21:04 . 2009-12-15 21:04 -------- d-----w- c:\documents and settings\mf5748\Local Settings\Application Data\Help
2009-12-14 14:50 . 2009-12-14 14:50 -------- d-----w- c:\program files\Avery
2009-12-11 22:40 . 2009-12-11 22:40 -------- d-----w- c:\documents and settings\MP_SVCJOINDOM\Local Settings\Application Data\Lotus
2009-12-11 22:40 . 2009-12-11 22:40 -------- d-----w- c:\documents and settings\mf5748\Local Settings\Application Data\Lotus
2009-12-11 22:30 . 2009-12-11 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lotus
2009-12-11 10:24 . 2009-10-13 10:53 266752 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-12-11 10:21 . 2009-10-12 13:54 69632 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-12-11 10:21 . 2009-10-12 13:54 112128 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-12-01 04:27 . 2009-12-01 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-11-30 22:27 . 2009-12-21 14:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-30 14:19 . 2009-11-30 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-11-30 14:15 . 2009-11-30 14:12 24402704 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en_us[1].exe
2009-11-30 14:14 . 2009-11-30 15:34 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-30 14:12 . 2009-11-30 14:12 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-11-30 14:12 . 2009-11-30 14:12 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-11-30 14:12 . 2009-11-30 14:12 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-11-29 14:26 . 2009-11-29 14:26 -------- d-----w- c:\program files\Common Files\PCSuite
2009-11-29 14:26 . 2009-11-30 14:16 -------- d-----w- c:\program files\Common Files\Nokia
2009-11-29 14:24 . 2009-10-06 17:56 136704 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2009-11-29 14:24 . 2009-10-06 17:56 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2009-11-29 14:24 . 2009-10-06 17:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-11-29 14:24 . 2009-10-06 17:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-11-29 14:24 . 2009-10-06 17:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-11-29 14:24 . 2009-10-06 17:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-11-29 14:23 . 2009-11-29 14:22 34440160 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng_us.exe
2009-11-29 14:22 . 2009-11-29 14:22 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-29 14:22 . 2009-11-29 14:22 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-29 14:22 . 2009-11-29 14:22 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-29 14:22 . 2009-11-29 14:22 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 02:31 . 2009-04-24 12:10 -------- d-----w- c:\program files\Utimaco
2009-12-18 16:50 . 2009-04-29 15:02 118784 ----a-r- c:\documents and settings\mf5748\Application Data\Microsoft\Installer\{8704D51E-25B7-4F23-81E7-AA4F54790230}\_F04690004CDD_410A_8040_562FB0707AEF.exe
2009-12-18 16:50 . 2009-04-29 15:02 34304 ----a-r- c:\documents and settings\mf5748\Application Data\Microsoft\Installer\{8704D51E-25B7-4F23-81E7-AA4F54790230}\misc.exe.D0DF3458_A845_11D3_8D0A_0050046416B9.exe
2009-12-14 14:53 . 2009-05-04 20:20 90688 ----a-w- c:\documents and settings\mf5748\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-11 22:30 . 2009-04-29 14:43 -------- d-----w- c:\program files\IBM
2009-11-30 20:12 . 2009-08-11 13:35 -------- d-----w- c:\documents and settings\mf5748\Application Data\Nokia
2009-11-30 14:15 . 2009-08-11 13:32 -------- d-----w- c:\program files\Nokia
2009-11-30 14:12 . 2009-08-10 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-11-15 04:12 . 2009-10-14 09:42 -------- d-----w- c:\program files\Lavasoft
2009-11-15 04:12 . 2009-10-14 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-15 02:11 . 2009-11-15 02:11 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 14:44 . 2009-11-14 14:44 -------- d-----w- c:\documents and settings\mf5748\Application Data\Malwarebytes
2009-11-14 14:44 . 2009-11-14 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-13 12:10 . 2009-11-13 12:10 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-06 19:47 . 2009-09-07 18:41 -------- d-----w- c:\documents and settings\mf5748\Application Data\HpUpdate
2009-11-05 14:27 . 2009-10-12 15:06 -------- d-----w- c:\documents and settings\mf5748\Application Data\Image Zone Express
2009-11-04 14:42 . 2009-10-30 03:07 -------- d-----w- c:\program files\Sandvik Coromant
2009-10-30 22:23 . 2009-05-04 21:25 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-30 22:23 . 2009-05-04 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-10-29 07:45 . 2006-06-23 11:02 841216 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-27 17:31 . 2009-10-27 17:23 32534192 ----a-w- c:\documents and settings\mf5748\Application Data\Smith Micro\Updates\VZAM-NVTL-2364a-USB760.exe
2009-10-22 15:27 . 2009-10-22 15:27 15086 ----a-r- c:\documents and settings\mf5748\Application Data\Microsoft\Installer\{F3D93447-266D-4837-B33A-EF362541039E}\_B8B33D26C38A897BD19D58.exe
2009-10-22 15:27 . 2009-10-22 15:27 15086 ----a-r- c:\documents and settings\mf5748\Application Data\Microsoft\Installer\{F3D93447-266D-4837-B33A-EF362541039E}\_6FEFF9B68218417F98F549.exe
2009-10-22 15:27 . 2009-10-22 15:27 15086 ----a-r- c:\documents and settings\mf5748\Application Data\Microsoft\Installer\{F3D93447-266D-4837-B33A-EF362541039E}\_3F31654A1AD495CB579927.exe
2009-10-15 22:23 . 2009-10-15 22:23 184144 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-14 08:58 . 2009-10-14 08:58 12353 ----a-w- c:\program files\Common Files\umodupefys.bin
2009-10-14 08:58 . 2009-10-14 08:58 17400 ----a-w- c:\documents and settings\All Users\Application Data\fywuneb.bin
2009-10-14 08:58 . 2009-10-14 08:58 16198 ----a-w- c:\documents and settings\All Users\Application Data\wohylu.bin
2009-10-14 02:40 . 2009-10-14 02:40 18214 ----a-w- c:\program files\Common Files\itocesukus.dl
2009-10-14 02:40 . 2009-10-14 02:40 17985 ----a-w- c:\windows\esehogexyh.bin
2009-10-14 02:40 . 2009-10-14 02:40 17215 ----a-w- c:\windows\radyrigajy.dat
2009-10-13 10:53 . 2004-08-04 12:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 12:00 112128 ----a-w- c:\windows\system32\rastls.dll
2004-01-29 19:58 . 2004-01-29 19:58 258048 ----a-w- c:\program files\Common Files\setacl.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Enterprise AWE"="c:\progra~1\Autonomy\ENTERP~1\AWELauncher.exe" [2008-09-30 234248]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nMinderPath"="regedit" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-02-04 106496]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-02-04 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-02-04 395264]
"SGEState"="c:\program files\Utimaco\SGEState.vbs" [2007-06-05 3123]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2004-10-06 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD SE\5\PDVDServ.exe" [2004-07-15 32768]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2008-09-16 24653]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2008-09-16 352345]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-30 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-30 150040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-10 738968]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-23 282624]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-06-18 18:47 24692 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ppeclt]
2008-05-02 09:10 232856 ----a-w- c:\windows\system32\PPEClt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-158405612-1615598624-1849977318-24131\Scripts\Logoff\0\0]
"Script"=c:\program files\SmartSync Pro\SmartSync_Execute.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-158405612-1615598624-1849977318-24131\Scripts\Logon\0\0]
"Script"=c:\program files\SmartSync Pro\SmartSync_Execute.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-158405612-1615598624-1849977318-24131\Scripts\Logon\1\0]
"Script"=Logon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-12 23:06 642856 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Documents and Settings\\mf5748\\Local Settings\\Application Data\\Autonomy\\Enterprise AWE\\Pdre\\pdre.exe"=
"c:\\Program Files\\Microsoft\\Office\\2003\\OFFICE11\\POWERPNT.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\IBM\\Lotus\\Notes\\notes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\\jre\\bin\\notes2w.exe"=
"c:\\Program Files\\IBM\\Lotus\\Notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\\jre\\bin\\javaw.exe"=

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [9/16/2008 12:19 PM 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [9/16/2008 12:19 PM 63488]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [4/29/2009 11:31 AM 2235760]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [4/23/2009 9:20 AM 15360]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [6/18/2008 12:46 PM 47504]
R2 DVDService;DVDService;c:\program files\Spintop\DVDService\DVDService.exe [12/20/2006 10:33 AM 114688]
R2 MSSQL$SANDVIK2005;SQL Server (SANDVIK2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 3:29 AM 29178224]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [4/29/2009 11:31 AM 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [6/18/2008 12:46 PM 673872]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [7/18/2007 5:12 PM 81920]
S3 AddPrinter;AddPrinter;c:\windows\system32\srvany.exe [5/14/1997 9:49 PM 13312]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [11/29/2009 8:24 AM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [11/29/2009 8:24 AM 8320]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [6/15/2009 2:21 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [6/3/2009 9:01 AM 174720]
S3 PTDWBus;Curitel PC Card Composite Device driver (UDP);c:\windows\system32\drivers\PTDWBus.sys [5/4/2009 3:00 PM 27392]
S3 PTDWMdm;Curitel PC Card Drivers (UDP);c:\windows\system32\drivers\PTDWMdm.sys [5/4/2009 3:00 PM 41728]
S3 PTDWVsp;Curitel PC Card Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTDWVsp.sys [5/4/2009 3:00 PM 39808]
S3 PWCTLDRV;The NECHostController Filter Driver;c:\windows\system32\drivers\PWCTLDRV.sys [5/4/2009 3:00 PM 5888]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 6:03 PM 32408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\SmartSync_Old_Remove]
2007-05-22 07:06 3423 ----a-w- c:\program files\SmartSync Pro\Smartsync_UnInstall_Userpart.vbs
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
mStart Page = hxxp://home.sandvik.com
uInternet Settings,ProxyServer = www-proxy.sandvik.com:8080
uInternet Settings,ProxyOverride = *.sandvik.com;*.goranssonskaskolan.com;164.4.*;138.103.*;*.dormertools.com;*.prototyp.com;*.titex.com;*.valenite.com;*.walter-ag.de;*.sandvik.ad;<local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ShellIconOverlayIdentifiers-{ba930330-a721-11d3-a7b9-00500464ee16} - Sgedrse.Dll
ShellIconOverlayIdentifiers-{2030D939-54A7-4fea-9B06-49EA77EFC87F} - Sgedrse.Dll
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
ActiveSetup-{5F625A6C-2937-4A72-BC93-C186F2FF98A3} - msiexec
ActiveSetup-{D671062E-44AF-4DC6-AD89-92921D1E1779} - reg add HKCU\Software\Lotus\Notes\8.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 20:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(476)
c:\windows\system32\WININET.dll
c:\program files\Utimaco\SafeGuard Easy\SgMsgBhk.dll
c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
c:\windows\System32\SCardSvr.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\IBM\Lotus\Notes\ntmulti.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\msiexec.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\program files\McAfee\Common Framework\McScript_InUse.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Autonomy\ENTERP~1\AWE.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\documents and settings\mf5748\Local Settings\Application Data\Autonomy\Enterprise AWE\PDRE\pdre.exe
c:\progra~1\Autonomy\ENTERP~1\SmartFolders\smartfolders.exe
c:\progra~1\Autonomy\ENTERP~1\filescan\filescan.exe
.
**************************************************************************
.
Completion time: 2009-12-27 20:39:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 02:39

Pre-Run: 37,553,532,928 bytes free
Post-Run: 37,793,361,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C4138DB7F23A6233833D928D2F456D25

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 PM

Posted 03 January 2010 - 03:12 PM

Hi,

Disable your antivirus protection, then re-download ComboFix to your desktop and run the tool.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 mandersen2

mandersen2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 03 January 2010 - 05:40 PM

I have Virus Scan Enterprise from McAfee and I can find no way to disable it. Any suggestions? I read the forum on disabling virus software and it doesn't address mine...

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 PM

Posted 04 January 2010 - 03:00 AM

Hi,

Are you able to access McAfee settings and disable it there (sorry, but I don't have experience of that program so can't give exact instructions)? If not, then you may have to uninstall it temporarily.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 mandersen2

mandersen2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 04 January 2010 - 07:26 AM

I am unable to do either. This is a work computer, and I do not have the access rights to change any anti-virus settings. Can we work around?

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 PM

Posted 04 January 2010 - 07:30 AM

Hi,

If that's work computer then you have to contact your IT support.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 mandersen2

mandersen2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 04 January 2010 - 09:30 AM

I tried that with no luck. Based on all the posts here I thought maybe there was an answer. Thanks for your time.

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:56 PM

Posted 04 January 2010 - 10:01 AM

Hi,

Since company has IT support then they should be made aware of situation. What action they decide to take to solve the matter is another thing. We're not here to step on IT support toes.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users