Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Results Hijacked in Firefox


  • This topic is locked This topic is locked
16 replies to this topic

#1 bigjacobus

bigjacobus

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 31 January 2010 - 09:50 PM

Hello My google results have been getting randomly redirected. I have included my Hijack this log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:03 PM, on 1/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Red5\wrapper\wrapper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tftpd32_SE\tftpd32_svc.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wootalyzer\woot.exe
C:\Program Files\Spark\Spark.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WASTE\WASTE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.XXXXXXXXXX.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Wootalyzer] "C:\Program Files\Wootalyzer\woot.exe" /boot
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - HKCU\..\Run: [SolarWinds Toolbar] H:\System\Apps\CDC12440-E816-4a7b-8321-1d2dfd246826\Exec\SolarWinds-Toolbar.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [WS9E3IQBKY] C:\WINDOWS\TEMP\Vhh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WS9E3IQBKY] C:\WINDOWS\TEMP\Vhh.exe (User 'Default user')
O4 - Startup: WASTE.lnk = C:\Program Files\WASTE\WASTE.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237677875843
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A899D8D-1ADA-4FC3-BBAF-F397B469A67C}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9ab49cee387b0) (gupdate1c9ab49cee387b0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Western Digital Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Western Digital Technology, Inc\Western Digital Array Management\MsgSvr.exe (file missing)
O23 - Service: Red5 - Unknown owner - C:\Program Files\Red5\wrapper\wrapper.exe
O23 - Service: Tftpd32 service edition (Tftpd32_svc) - Ph. Jounin - C:\Program Files\Tftpd32_SE\tftpd32_svc.exe
O23 - Service: VMware vCenter Converter Agent (vmware-converter-agent) - VMware, Inc. - C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
O23 - Service: VMware vCenter Converter Server (vmware-converter-server) - VMware, Inc. - C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 9107 bytes

BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:14 AM

Posted 02 February 2010 - 04:00 PM

Hello bigjacobus smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.




In order to assist you I will need for you to perform the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files










    Thanks,



    thewall





    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #3 bigjacobus

    bigjacobus
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:04:14 AM

    Posted 03 February 2010 - 10:23 AM


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by benj at 18:21:50.07 on Tue 02/02/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.434 [GMT -8:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Red5\wrapper\wrapper.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Tftpd32_SE\tftpd32_svc.exe
    C:\WINDOWS\system32\java.exe
    C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
    C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spark\Spark.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\WASTE\WASTE.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\TightVNC\vncviewer.exe
    C:\Program Files\Spark\lib\windows\IeEmbed.exe
    C:\Program Files\TightVNC\vncviewer.exe
    C:\Program Files\TeamViewer\Version4\TeamViewer.exe
    C:\Documents and Settings\benj\Desktop\firefox downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://webmail.benjacobus.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [Creative MediaSource Go] c:\program files\creative\mediasource\go\CTCMSGo.exe /SCB
    uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [Wootalyzer] "c:\program files\wootalyzer\woot.exe" /boot
    uRun: [Spark] c:\program files\spark\Spark.exe
    uRun: [SolarWinds Toolbar] h:\system\apps\cdc12440-e816-4a7b-8321-1d2dfd246826\exec\SolarWinds-Toolbar.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
    mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    dRun: [WS9E3IQBKY] c:\windows\temp\Vhh.exe
    StartupFolder: c:\docume~1\benj\startm~1\programs\startup\waste.lnk - c:\program files\waste\WASTE.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    Trusted Zone: aol.com\free
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237677875843
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    TCP: {7A899D8D-1ADA-4FC3-BBAF-F397B469A67C} = 208.67.222.222,208.67.220.220
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\benj\applic~1\mozilla\firefox\profiles\3t5a4tj0.default\
    FF - prefs.js: browser.startup.homepage - www.benjacobus.com
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npDimdimControl.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [2009-3-21 150528]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 333192]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-21 28424]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-21 360584]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-29 285392]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-3-21 10384]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-6-24 34064]
    R2 Red5;Red5;c:\program files\red5\wrapper\wrapper.exe [2008-2-19 204800]
    R2 Tftpd32_svc;Tftpd32 service edition;c:\program files\tftpd32_se\tftpd32_svc.exe [2009-6-18 148992]
    R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2009-4-17 428592]
    R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2009-4-17 428592]
    R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\vmware\vmware vcenter converter standalone\vstor2-mntapi10.sys [2009-4-17 22448]
    R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2008-3-4 34128]
    R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-1-31 15944]
    R3 OVT511;LifeView USB RoboCAM;c:\windows\system32\drivers\omcamvid.sys [2001-3-9 160073]
    R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2009-12-21 27168]
    S2 gupdate1c9ab49cee387b0;Google Update Service (gupdate1c9ab49cee387b0);c:\program files\google\update\GoogleUpdate.exe [2009-3-22 133104]
    S3 AX88172;NETGEAR FA120 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\FA120.sys [2009-8-8 14048]
    S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-4-17 27312]
    S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2009-9-27 18864]
    S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2009-12-21 27168]
    S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\benj\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768]
    S4 W3inancw;W3inancw; [x]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-01-30 21:47:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2009-12-21 22:34:24 37920 ----a-w- c:\windows\system32\drivers\tbhsd.sys
    2009-12-21 22:34:04 27168 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
    2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-11-29 20:10:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-11-26 05:09:25 12048 ----a-w- c:\windows\system32\forfiles.exe

    ============= FINISH: 18:23:54.43 ===============


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-02-02 22:20:20
    Windows 5.1.2600 Service Pack 3
    Running: g3cb2iro.exe; Driver: C:\DOCUME~1\benj\LOCALS~1\Temp\afldruow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    #4 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:14 AM

    Posted 03 February 2010 - 12:50 PM

    Looks like atapi.sys may be infected which would cause redirection problems. Let's run ComboFix and see if it will pick up on it:



    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #5 bigjacobus

    bigjacobus
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:04:14 AM

    Posted 03 February 2010 - 02:14 PM

    ComboFix 10-02-03.01 - benj 02/03/2010 11:01:12.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.385 [GMT -8:00]
    Running from: c:\documents and settings\benj\Desktop\firefox downloads\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\benj\Application Data\inst.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
    .

    2010-02-01 02:38 . 2010-02-01 02:38 -------- d-----w- c:\program files\Trend Micro
    2010-02-01 00:16 . 2010-02-01 00:16 152576 ----a-w- c:\documents and settings\benj\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-02-01 00:12 . 2010-02-01 00:12 79488 ----a-w- c:\documents and settings\benj\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-31 23:21 . 2010-02-03 15:20 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-01-31 23:16 . 2010-01-31 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-01-31 23:16 . 2010-01-31 23:16 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-01-31 16:20 . 2010-02-01 00:16 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-31 16:19 . 2010-01-31 16:19 -------- d-----w- c:\documents and settings\benj\Application Data\Malwarebytes
    2010-01-31 16:19 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-31 16:18 . 2010-01-31 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-31 16:18 . 2010-02-01 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-31 16:18 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-26 17:52 . 2010-01-18 16:58 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
    2010-01-26 17:52 . 2010-01-18 16:58 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
    2010-01-20 03:28 . 2010-01-20 03:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\benj\Local Settings\Application Data\jZip
    2010-01-17 02:07 . 2010-01-17 02:08 -------- d-----w- c:\program files\jZip
    2010-01-16 22:42 . 2010-01-16 22:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-01-12 21:08 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-02 02:52 . 2009-03-22 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-02-01 02:45 . 2009-07-11 14:46 -------- d-----w- c:\documents and settings\benj\Application Data\vlc
    2010-02-01 02:05 . 2009-03-21 23:17 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000004-20021102}.dat
    2010-02-01 02:05 . 2009-03-21 23:17 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000001-00001102-00000004-20021102}.dat
    2010-02-01 00:18 . 2009-03-22 05:40 -------- d-----w- c:\program files\Java
    2010-01-30 21:47 . 2009-03-21 23:56 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-01-27 02:18 . 2009-03-22 23:54 -------- d-----w- c:\program files\Google
    2010-01-25 04:23 . 2009-03-22 20:35 -------- d-----w- c:\documents and settings\benj\Application Data\U3
    2009-12-27 22:43 . 2009-03-22 04:12 -------- d-----w- c:\program files\WASTE
    2009-12-26 02:14 . 2009-12-26 02:14 476512 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
    2009-12-26 02:14 . 2009-12-26 02:14 169312 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
    2009-12-26 02:14 . 2009-12-26 02:14 128352 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
    2009-12-26 02:14 . 2009-12-26 02:14 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
    2009-12-26 02:14 . 2009-12-26 02:14 99680 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
    2009-12-26 02:14 . 2009-12-26 02:14 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
    2009-12-26 02:14 . 2009-12-26 02:14 230752 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
    2009-12-26 02:14 . 2009-12-26 02:14 120160 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
    2009-12-26 02:14 . 2009-12-26 02:14 87392 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
    2009-12-26 02:14 . 2009-12-26 02:14 140640 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
    2009-12-26 01:55 . 2009-12-26 01:55 -------- d-----w- c:\program files\RapidSolution
    2009-12-26 01:55 . 2009-12-26 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
    2009-12-24 04:43 . 2009-07-05 21:34 -------- d-----w- c:\documents and settings\benj\Application Data\TeamViewer
    2009-12-21 22:34 . 2009-12-21 22:34 37920 ----a-w- c:\windows\system32\drivers\tbhsd.sys
    2009-12-21 22:34 . 2009-12-21 22:34 27168 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
    2009-12-21 19:14 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-12-20 23:46 . 2009-03-21 23:55 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-12-19 02:41 . 2009-03-27 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
    2009-12-16 02:58 . 2009-03-22 04:38 -------- d-----w- c:\documents and settings\benj\Application Data\FileZilla
    2009-12-12 01:42 . 2009-12-12 01:42 0 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\GUIcommon.dll
    2009-12-08 06:12 . 2009-03-23 02:42 -------- d-----w- c:\documents and settings\benj\Application Data\wootalyzer
    2009-11-29 20:10 . 2009-03-22 01:39 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-11-29 20:10 . 2009-03-22 01:39 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-11-29 20:10 . 2009-03-22 01:39 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-11-29 20:10 . 2009-03-22 01:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-11-26 05:09 . 2009-11-26 04:51 12048 ----a-w- c:\windows\system32\forfiles.exe
    2009-11-21 15:51 . 2002-08-29 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Creative MediaSource Go"="c:\program files\Creative\MediaSource\GO\CTCMSGo.exe" [2003-05-29 131072]
    "RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 135168]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-22 39408]
    "Wootalyzer"="c:\program files\Wootalyzer\woot.exe" [2009-03-26 374272]
    "Spark"="c:\program files\Spark\Spark.exe" [2007-11-14 434176]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
    "CTHelper"="CTHELPER.EXE" [2003-06-20 24576]
    "AsioReg"="CTASIO.DLL" [2003-06-20 118784]
    "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
    "WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
    "nwiz"="nwiz.exe" [2007-12-05 1626112]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
    "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-01-31 4955456]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

    c:\documents and settings\benj\Start Menu\Programs\Startup\
    WASTE.lnk - c:\program files\WASTE\WASTE.exe [2005-2-4 427008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-21 809488]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-11-29 20:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-02-19 07:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanRegistry]
    C:\W [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\WASTE\\WASTE.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TightVNC\\vncviewer.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
    "c:\\Program Files\\Spark\\Spark.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
    "9089:TCP"= 9089:TCP:VMware vCenter Converter Standalone - Agent
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [3/21/2009 3:48 PM 150528]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/21/2009 5:39 PM 333192]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/21/2009 5:39 PM 360584]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/29/2009 12:10 PM 285392]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/21/2009 7:54 PM 10384]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/24/2009 3:23 PM 34064]
    R2 Tftpd32_svc;Tftpd32 service edition;c:\program files\Tftpd32_SE\tftpd32_svc.exe [6/18/2009 11:57 AM 148992]
    R2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [4/17/2009 7:42 PM 428592]
    R2 vmware-converter-server;VMware vCenter Converter Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [4/17/2009 7:59 PM 428592]
    R2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files\VMware\VMware vCenter Converter Standalone\vstor2-mntapi10.sys [4/17/2009 7:42 PM 22448]
    R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/4/2008 5:30 PM 34128]
    R3 OVT511;LifeView USB RoboCAM;c:\windows\system32\drivers\omcamvid.sys [3/9/2001 4:32 PM 160073]
    R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [12/21/2009 2:34 PM 27168]
    S2 gupdate1c9ab49cee387b0;Google Update Service (gupdate1c9ab49cee387b0);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2009 3:56 PM 133104]
    S2 Red5;Red5;c:\program files\Red5\wrapper\wrapper.exe [2/19/2008 4:15 PM 204800]
    S3 AX88172;NETGEAR FA120 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\FA120.sys [8/8/2009 7:47 PM 14048]
    S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [4/17/2009 7:42 PM 27312]
    S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [9/27/2009 8:45 PM 18864]
    S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [12/21/2009 2:34 PM 27168]
    S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\benj\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 4:10 PM 32768]
    S4 W3inancw;W3inancw; [x]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-03 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-22 23:54]

    2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 23:56]

    2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 23:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://webmail.benjacobus.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: aol.com\free
    TCP: {7A899D8D-1ADA-4FC3-BBAF-F397B469A67C} = 208.67.222.222,208.67.220.220
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\benj\Application Data\Mozilla\Firefox\Profiles\3t5a4tj0.default\
    FF - prefs.js: browser.startup.homepage - www.benjacobus.com
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npDimdimControl.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-SolarWinds Toolbar - h:\system\Apps\CDC12440-E816-4a7b-8321-1d2dfd246826\Exec\SolarWinds-Toolbar.exe
    HKLM-Run-Cmaudio - cmicnfg.cpl



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-03 11:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
    "ImagePath"="\Sys"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b2,c4,d2,3e,68,65,f1,46,92,28,18,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b2,c4,d2,3e,68,65,f1,46,92,28,18,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1012)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll

    - - - - - - - > 'winlogon.exe'(3372)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll
    .
    Completion time: 2010-02-03 11:12:20
    ComboFix-quarantined-files.txt 2010-02-03 19:12

    Pre-Run: 40,640,040,960 bytes free
    Post-Run: 41,641,119,744 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - D1F9BE7D63616DCD7369132A58A4445E


    #6 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:14 AM

    Posted 03 February 2010 - 05:11 PM

    Hmm, kind of thought we might see CF take out a little more than that. Is there any change in the redirection problem?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #7 bigjacobus

    bigjacobus
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:04:14 AM

    Posted 03 February 2010 - 08:22 PM

    I have not had the redirection problem since comming here. I tried my best to remove it myself manually and came to the same conclusion that you did with the atapi.sys file being the culprit.

    I attempted to remove it prior to posting and saw it reappear on its own.

    This is what prompted me to make the post here to verify that I actually had removed it or if it was still the problem.

    Please let me know if there is any more information that I can provide you.

    #8 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:14 AM

    Posted 03 February 2010 - 09:01 PM

    Appears you did a pretty good job. We'll run Kaspersky which is one of our best in-depth scanners and see if it can pick up on anything which might still be there:




    It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



    Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

    If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Open the Kaspersky WebScanner
      page.
    • Click on the button on the main page.
    • The program will launch and fill in the Information section on the left.
    • Read the "Requirements and Limitations" then press the button.
    • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
    • Once the files have been downloaded, click on the ...button.
      In the scan settings make sure the following are selected:
      • Detect malicious programs of the following categories:
        Viruses, Worms, Trojan Horses, Rootkits
        Spyware, Adware, Dialers and other potentially dangerous programs
      • Scan compound files (doesn't apply to the File scan area):
        Archives
        Mail databases
        By default the above items should already be checked.
      • Click the button, if you made any changes.
    • Now under the Scan section on the left:

      Select My Computer
    • The program will now start and scan your system. This will run for a while, be patient and let it finish.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • In the drop down box labeled Files of type change the type to Text file.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    You can refer to this animation by sundavis if needed.



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #9 bigjacobus

    bigjacobus
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:04:14 AM

    Posted 05 February 2010 - 11:55 AM

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Friday, February 5, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Thursday, February 04, 2010 18:01:54
    Records in database: 3411406
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    O:\

    Scan statistics:
    Objects scanned: 197656
    Threats found: 31
    Infected objects found: 75
    Suspicious objects found: 0
    Scan duration: 12:51:05


    File name / Threat / Threats count
    C:\Documents and Settings\benj\Desktop\firefox downloads\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
    C:\Documents and Settings\benj\Desktop\firefox downloads\tightvnc-1.3.10-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
    C:\Documents and Settings\benj\Desktop\old desktop\Downloads\7zBlade.zip Infected: Trojan.BAT.Agent.iz 1
    C:\Documents and Settings\benj\Desktop\old desktop\Downloads\tightvnc-1.3.9-setup(2).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
    C:\Documents and Settings\benj\Desktop\old desktop\Downloads\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
    C:\Documents and Settings\benj\Desktop\old desktop\Downloads\VNCScan.2008.11.11.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.v 1
    C:\Documents and Settings\benj\Desktop\old desktop\Downloads\VNCScan.2008.11.11.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
    C:\Documents and Settings\benj\Desktop\old desktop\Downloads\VNCScan.2008.11.11.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
    C:\Documents and Settings\benj\Desktop\old desktop\Downloads\VNCScan.2008.11.11.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 3
    C:\Documents and Settings\benj\Desktop\old desktop\u3 stuff\packages built\2002 Engineers Edition.u3p Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1
    C:\Documents and Settings\benj\Desktop\old desktop\u3 stuff\packages built\Cain.u3p Infected: not-a-virus:PSWTool.Win32.Cain.284 2
    C:\Documents and Settings\benj\Desktop\old desktop\u3 stuff\packages built\Cain.u3p Infected: not-a-virus:PSWTool.Win32.Cain.288 1
    C:\Documents and Settings\benj\Desktop\old desktop\u3 stuff\packages built\ipscanner.u3p Infected: not-a-virus:NetTool.Win32.Portscan.c 1
    C:\Documents and Settings\benj\Desktop\old desktop\u3 stuff\packages built\TightVNC.u3p Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
    C:\Documents and Settings\benj\Desktop\old desktop\u3 stuff\packages built\TightVNC.u3p Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
    C:\Documents and Settings\benj\My Documents\my downloads\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
    C:\Documents and Settings\benj\My Documents\my downloads\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
    C:\Documents and Settings\benj\My Documents\my downloads\VNC.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
    O:\backup (www)\benj_public_html\files\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
    O:\backup (www)\benj_public_html\files\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
    O:\from allen\BIZ IMAGES\ca_setup.rar Infected: not-a-virus:PSWTool.Win32.Cain.269 1
    O:\from allen\BIZ IMAGES\ca_setup.rar Infected: not-a-virus:PSWTool.Win32.Cain.e 2
    O:\from allen\BIZ IMAGES\Solarwinds Engineers Edition 2002 v 5.0\SolarWinds2002-EE-Release.exe Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\I386\SYSTEM32\WM_HOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\CAIN\ABEL.DLL Infected: not-a-virus:PSWTool.Win32.Cain.e 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\CAIN\ABEL.EXE Infected: not-a-virus:PSWTool.Win32.Cain.e 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\CAIN\CAIN.EXE Infected: not-a-virus:PSWTool.Win32.Cain.273 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\IPSCAN\IPSCAN.EXE Infected: not-a-virus:NetTool.Win32.Portscan.c 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\PASSPRO\PASSWORDSPRO.EXE Infected: not-a-virus:PSWTool.Win32.SAMInside.b 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\ULTRAVNC\VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\VNCSERVER\VNCCONFIG.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\PROGRAMS\VNCSERVER\WINVNC4.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\ANTI-SPYWARE\FINDNFIX.EXE Infected: not-a-virus:RemoteAdmin.Win32.NirCmdLine.14 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\ANTI-SPYWARE\UTILITIES\ATM30.EXE Infected: Trojan-Spy.Win32.Mailspy.22.e 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\NETWORK\IPSCAN.EXE Infected: not-a-virus:NetTool.Win32.Portscan.c 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\NETWORK\REMOTE ADMIN\TECH_SUPPORT.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\NETWORK\REMOTE ADMIN\ULTRAVNC-1.0-SETUP_SF.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\NETWORK\REMOTE ADMIN\VNC-4.0-X86_WIN32.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\MAILPV.EXE Infected: not-a-virus:PSWTool.Win32.MailPassView.130 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\MSPASS.EXE Infected: not-a-virus:PSWTool.Win32.Messen.102 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\NETSCAPASS.EXE Infected: not-a-virus:PSWTool.Win32.NetScaPass.a 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\REVELATION V2\REVELATION.EXE Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\REVELATION V2\REVELATIONHELPER.DLL Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\REVELATIONV2.ZIP Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 2
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\WIN9X\ABELKILLER.EXE Infected: not-a-virus:PSWTool.Win32.Cain.a 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\WIN9X\CAIN.EXE Infected: not-a-virus:PSWTool.Win32.Cain.20 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\WIN9X\REVELATION.EXE Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\RECOVERY\PASSWORDS\XP\IOPUS-PWDREC-SETUP.EXE Infected: not-a-virus:PSWTool.Win32.ActMon.a 1
    O:\from allen\BIZ IMAGES\TECHCDs\7-13 techcd\TOOLS\UTILITIES\KEYFINDER\KEYFINDER.EXE Infected: not-a-virus:PSWTool.Win32.RAS.a 2
    O:\mp3\new stuff from charles\kmd171gu_en.exe Infected: not-a-virus:AdWare.Win32.Cydoor 2
    O:\u3 stuff\packages built\2002 Engineers Edition.u3p Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1
    O:\u3 stuff\packages built\Cain.u3p Infected: not-a-virus:PSWTool.Win32.Cain.284 2
    O:\u3 stuff\packages built\Cain.u3p Infected: not-a-virus:PSWTool.Win32.Cain.288 1
    O:\u3 stuff\packages built\TightVNC.u3p Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
    O:\u3 stuff\packages built\TightVNC.u3p Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
    O:\uploads\cain and able\cain25b58.exe Infected: not-a-virus:PSWTool.Win32.Cain.25b59 1
    O:\uploads\cain and able\cain25b58.exe Infected: not-a-virus:PSWTool.Win32.Cain.b 1
    O:\uploads\Networking Tools\Solarwinds Engineers Edition 2002 v 5.0\SolarWinds2002-EE-Release.exe Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1
    O:\uploads\Solarwinds Engineers Edition 2002 v 5.0\SolarWinds2002-EE-Release.exe Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1
    O:\uploads\vnc\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
    O:\uploads\vnc\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

    Selected area has been scanned.


    #10 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:14 AM

    Posted 05 February 2010 - 12:35 PM

    Although those can be legitimate they can also be used for exploitation. Are you aware of PasswordTool as well as remote administration being used on your computer?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #11 bigjacobus

    bigjacobus
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:04:14 AM

    Posted 05 February 2010 - 07:49 PM

    Yes, All the listed items are legitimate tools that I use for my work. I did not see anything that stood out to me in this instance. I do believe that its looking like its cleaned up. Is there anything else that I should be doing besides keeping all nmy scanning software up to date?

    #12 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:14 AM

    Posted 05 February 2010 - 09:05 PM

    I need to see your uninstall log so we can check to see if you have any outdated programs that could be exploited. When you first ran DDS in your original post two logs should have been generated. I need the Attach.txt however if you don't have it please rerun DDS and post it so we can check. If that is all OK we will clean off our tools and finish up.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #13 bigjacobus

    bigjacobus
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:04:14 AM

    Posted 08 February 2010 - 12:39 AM

    This is from the initial run.



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/21/2009 3:57:20 PM
    System Uptime: 1/31/2010 8:09:01 AM (58 hours ago)

    Motherboard: MICRO-STAR INC. | | MS-6728
    Processor: Intel® Pentium® 4 CPU 3.00GHz | FC-478 | 3042/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 112 GiB total, 37.944 GiB free.
    D: is FIXED (NTFS) - 112 GiB total, 99.199 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    O: is FIXED (NTFS) - 932 GiB total, 422.22 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP289: 11/5/2009 1:23:45 PM - System Checkpoint
    RP290: 11/6/2009 9:58:42 AM - Avg8 Update
    RP291: 11/7/2009 10:26:50 AM - System Checkpoint
    RP292: 11/8/2009 10:26:51 AM - System Checkpoint
    RP293: 11/9/2009 11:26:52 AM - System Checkpoint
    RP294: 11/10/2009 12:26:52 PM - System Checkpoint
    RP295: 11/11/2009 1:26:53 PM - System Checkpoint
    RP296: 11/12/2009 2:26:54 PM - System Checkpoint
    RP297: 11/13/2009 1:29:56 PM - Software Distribution Service 3.0
    RP298: 11/14/2009 2:26:56 PM - System Checkpoint
    RP299: 11/15/2009 3:26:56 PM - System Checkpoint
    RP300: 11/16/2009 4:26:57 PM - System Checkpoint
    RP301: 11/17/2009 5:29:12 PM - System Checkpoint
    RP302: 11/18/2009 7:05:57 PM - System Checkpoint
    RP303: 11/19/2009 7:26:59 PM - System Checkpoint
    RP304: 11/20/2009 8:59:47 PM - System Checkpoint
    RP305: 11/21/2009 9:27:04 PM - System Checkpoint
    RP306: 11/22/2009 9:40:17 PM - System Checkpoint
    RP307: 11/23/2009 10:07:24 PM - System Checkpoint
    RP308: 11/24/2009 9:57:23 PM - Installed Microsoft ActiveSync
    RP309: 11/25/2009 9:10:44 AM - Avg8 Update
    RP310: 11/26/2009 10:07:26 AM - System Checkpoint
    RP311: 11/27/2009 12:05:14 PM - System Checkpoint
    RP312: 11/28/2009 12:06:24 PM - System Checkpoint
    RP313: 11/28/2009 8:59:18 PM - Software Distribution Service 3.0
    RP314: 11/29/2009 12:09:52 PM - Installed AVG Free 9.0
    RP315: 11/30/2009 8:23:39 AM - Avg8 Update
    RP316: 11/30/2009 8:24:15 AM - Avg8 Update
    RP317: 12/1/2009 11:52:20 AM - System Checkpoint
    RP318: 12/2/2009 12:50:28 PM - System Checkpoint
    RP319: 12/3/2009 6:13:16 PM - System Checkpoint
    RP320: 12/4/2009 6:13:27 PM - System Checkpoint
    RP321: 12/5/2009 6:22:26 PM - System Checkpoint
    RP322: 12/6/2009 7:12:27 PM - System Checkpoint
    RP323: 12/7/2009 7:30:24 PM - System Checkpoint
    RP324: 12/8/2009 7:44:51 PM - System Checkpoint
    RP325: 12/9/2009 8:07:21 PM - Software Distribution Service 3.0
    RP326: 12/10/2009 8:12:35 PM - System Checkpoint
    RP327: 12/11/2009 8:52:28 AM - Avg8 Update
    RP328: 12/11/2009 8:53:45 AM - Avg8 Update
    RP329: 12/13/2009 11:44:12 AM - System Checkpoint
    RP330: 12/14/2009 12:01:16 PM - System Checkpoint
    RP331: 12/15/2009 1:05:20 PM - System Checkpoint
    RP332: 12/16/2009 2:01:17 PM - System Checkpoint
    RP333: 12/17/2009 2:02:23 PM - System Checkpoint
    RP334: 12/18/2009 9:24:44 AM - Avg8 Update
    RP335: 12/19/2009 10:02:24 AM - System Checkpoint
    RP336: 12/20/2009 11:16:26 AM - System Checkpoint
    RP337: 12/20/2009 3:46:43 PM - Installed HP USB Disk Storage Format Tool
    RP338: 12/21/2009 7:44:06 PM - System Checkpoint
    RP339: 12/22/2009 9:25:21 AM - Avg8 Update
    RP340: 12/23/2009 10:01:22 AM - System Checkpoint
    RP341: 12/24/2009 11:01:22 AM - System Checkpoint
    RP342: 12/25/2009 12:02:54 PM - System Checkpoint
    RP343: 12/25/2009 5:55:23 PM - Installed Tunebite
    RP344: 12/26/2009 6:16:45 PM - System Checkpoint
    RP345: 12/27/2009 7:16:43 PM - System Checkpoint
    RP346: 12/28/2009 8:15:34 PM - System Checkpoint
    RP347: 12/29/2009 9:16:40 PM - System Checkpoint
    RP348: 12/30/2009 9:46:39 PM - System Checkpoint
    RP349: 12/31/2009 8:32:46 AM - Avg8 Update
    RP350: 1/1/2010 1:10:59 PM - System Checkpoint
    RP351: 1/2/2010 1:50:28 PM - System Checkpoint
    RP352: 1/3/2010 2:50:33 PM - System Checkpoint
    RP353: 1/4/2010 3:50:30 PM - System Checkpoint
    RP354: 1/5/2010 4:50:31 PM - System Checkpoint
    RP355: 1/6/2010 5:50:32 PM - System Checkpoint
    RP356: 1/7/2010 6:02:24 PM - System Checkpoint
    RP357: 1/8/2010 6:50:33 PM - System Checkpoint
    RP358: 1/9/2010 7:50:34 PM - System Checkpoint
    RP359: 1/10/2010 8:04:40 PM - System Checkpoint
    RP360: 1/11/2010 8:50:35 PM - System Checkpoint
    RP361: 1/12/2010 9:50:36 PM - System Checkpoint
    RP362: 1/13/2010 10:51:42 PM - System Checkpoint
    RP363: 1/14/2010 11:50:41 PM - System Checkpoint
    RP364: 1/16/2010 12:50:45 AM - System Checkpoint
    RP365: 1/17/2010 1:50:47 AM - System Checkpoint
    RP366: 1/18/2010 2:51:02 AM - System Checkpoint
    RP367: 1/18/2010 8:58:58 AM - Avg8 Update
    RP368: 1/19/2010 9:50:41 AM - System Checkpoint
    RP369: 1/20/2010 10:37:52 AM - System Checkpoint
    RP370: 1/21/2010 12:10:07 PM - System Checkpoint
    RP371: 1/22/2010 12:38:00 PM - System Checkpoint
    RP372: 1/23/2010 1:39:06 PM - System Checkpoint
    RP373: 1/24/2010 2:38:02 PM - System Checkpoint
    RP374: 1/25/2010 3:10:50 PM - System Checkpoint
    RP375: 1/26/2010 9:52:14 AM - Avg8 Update
    RP376: 1/27/2010 10:16:57 AM - System Checkpoint
    RP377: 1/29/2010 5:00:52 PM - System Checkpoint
    RP378: 1/30/2010 8:35:26 AM - Software Distribution Service 3.0
    RP379: 1/31/2010 9:03:06 AM - System Checkpoint
    RP380: 1/31/2010 4:18:06 PM - Installed Java™ 6 Update 17
    RP381: 2/1/2010 5:09:33 PM - System Checkpoint

    ==== Installed Programs ======================

    7-Zip 4.65
    AAC Decoder
    AC3Filter 1.60b
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Viewer CS3
    Adobe PDF Library Files
    Adobe Premiere Pro 1.5
    Adobe Setup
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Audacity 1.3.8 (Unicode)
    Auto Gordian Knot 2.55
    AutoUpdate
    AVG Free 9.0
    AviSynth 2.5
    C-Media WDM Audio Driver
    CDDRV_Installer
    Compatibility Pack for the 2007 Office system
    Core FTP LE 2.1
    Creative MediaSource
    Creative System Information
    Critical Update for Windows Media Player 11 (KB959772)
    CutePDF Writer 2.7
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    Dr. DivX 2.0 OSS
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    DVDFab 6.0.7.0 (18/09/2009)
    DVDFab Platinum 3.2.0.0 Ghosthunter release
    FileZilla Client 3.3.0.1
    Foxit PDF IFilter
    Foxit Reader
    Google Earth
    Google Update Helper
    Google Updater
    H.264 Decoder
    HijackThis 2.0.2
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    HP USB Disk Storage Format Tool
    InfraRecorder
    Intel® PRO Network Adapters and Drivers
    Inter-Tel Collaboration Client 2.0
    Jahshaka
    Java™ 6 Update 17
    jZip
    KhalInstallWrapper
    LAME v3.98.2 for Audacity
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    MetaFrame Presentation Server Web Client for Win32
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional with FrontPage
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual J# 2.0 Redistributable Package - SE
    MKV Splitter
    Mozilla Firefox (3.5.7)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    msxml4
    MySQL Tools for 5.0
    Nero 7 Premium
    nLite 1.4.9.1
    Nmap 4.90RC1
    Notepad++
    NVIDIA Drivers
    OpenLibraries
    Red5
    Screencaster Plug-in for FF
    ScreenViewer Client Application
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Sound Blaster Audigy 2 ZS
    Spark 2.5.8
    TeamViewer 4
    Tftpd32 Service Edition (remove only)
    TightVNC 1.3.10
    Tunebite
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB943729)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.762
    VLC media player 1.0.0
    VMware Infrastructure Client 2.5
    VMware vCenter Converter Standalone
    VMware vSphere Client 4.0
    VMware vSphere Host Update Utility 4.0
    VobSub v2.23 (Remove Only)
    WASTE
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows PowerShell™ 1.0
    Windows XP Service Pack 3
    winpcap-nmap 4.02
    Wootalyzer!
    WXtoImg
    Xvid 1.2.2 final uninstall
    XviD MPEG4 Video Codec (remove only)

    ==== Event Viewer Messages From Past Week ========

    1/31/2010 8:36:11 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    1/31/2010 8:21:39 AM, error: Service Control Manager [7034] - The VMware vCenter Converter Server service terminated unexpectedly. It has done this 1 time(s).
    1/31/2010 8:06:06 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    1/31/2010 6:31:44 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
    1/31/2010 6:30:12 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\atapi.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
    1/31/2010 4:28:25 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
    1/31/2010 4:28:16 AM, error: Service Control Manager [7034] - The Red5 service terminated unexpectedly. It has done this 1 time(s).
    1/31/2010 3:55:00 PM, error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
    1/31/2010 3:15:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    1/31/2010 1:30:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    1/31/2010 1:30:48 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2010 1:30:48 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2010 1:30:48 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2010 1:30:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    1/31/2010 1:30:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/30/2010 8:46:31 AM, error: Service Control Manager [7000] - The Western Digital Array Message Server service failed to start due to the following error: The system cannot find the path specified.
    1/30/2010 8:46:31 AM, error: Service Control Manager [7000] - The OMSCAN service failed to start due to the following error: The system cannot find the file specified.
    1/30/2010 8:46:08 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    1/30/2010 8:46:08 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    1/30/2010 5:47:45 PM, error: LDM [2] - The parameter is incorrect. (80070057).
    1/30/2010 5:34:31 PM, error: Ftdisk [31] - The fault tolerant driver could not read the on disk structures from disk 3.
    1/30/2010 5:26:35 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.
    1/30/2010 12:12:48 AM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
    1/30/2010 12:12:48 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    1/30/2010 10:59:34 AM, error: LDMS [3014] - Unhandled exception, exception code=6BE.
    1/26/2010 11:14:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VMware vCenter Converter Agent service to connect.
    1/26/2010 11:14:07 PM, error: Service Control Manager [7000] - The VMware vCenter Converter Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    ==== End Of File ===========================


    #14 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:07:14 AM

    Posted 08 February 2010 - 12:02 PM

    That looks good. You are just one version behind on Java so I'll post the instruction for bringing it up to date. With the newer versions it should automatically replace the version your have without you having to delete it.

    If everything is running good after this let me know and we will finish up.


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
    • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
    • Click the Download JRE button to the right
    • Select the Windows platform from the dropdown menu.
    • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
          Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.

    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #15 bigjacobus

    bigjacobus
    • Topic Starter

    • Members
    • 8 posts
    • OFFLINE
    •  
    • Local time:04:14 AM

    Posted 08 February 2010 - 08:27 PM

    All done. Java has been updated and no other version exist.




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users