Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Taskbar went grey, no networking, need help!!


  • Please log in to reply
11 replies to this topic

#1 mn3

mn3

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 02 June 2010 - 10:17 PM

Hi All,
I rebooted my laptop the other day and noticed that the taskbar went grey and does not have the Windows XP appearance and I have lost wireless internet connectivity. Also, the longer the computer runs before a reboot, the slower it gets. I ran Malwarebytes AB and it found several suspicious files and registry entries.

Here's the log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/31/2010 9:15:01 PM
mbam-log-2010-05-31 (21-15-01).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 615848
Time elapsed: 1 hour(s), 45 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I still have the grey taskbar and no internet connectivity.
I'm running Windows XP Professional OS with SP3.

Here is my DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by manakamu at 17:47:07.87 on Tue 06/01/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2342 [GMT -7:00]

FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Array Networks\Common\8,4,0,264\arr_isrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Array Networks\Array SSL VPN\8,4,0,264\arr_srvs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\NetScaler\NetScaler Secure Remote Access\nsverctl.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\manakamu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.oracle.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - d:\program files\orbitdownloader\orbitcth.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\orbitdownloader\GrabPro.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ntpgds] c:\windows\orclobi\synctime.exe
mRun: [TweakAutomaticUpdates] c:\windows\orclobi\gdswsuspatch_soon.exe /s
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [<NO NAME>]
mRun: [AutoProfileRepair] "c:\program files\oracle\outlook connector\profilerepair.exe" -msi
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Auction Auto Bidder]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [FirefoxConfig] c:\windows\orclobi\config\firefoxconfig.exe
dRunOnce: [ThunderbirdConfig] c:\windows\orclobi\config\tbirdconfig.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\netscaler\netscaler secure remote access\nsload.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\Orbit.lnk -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Download by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: callcenteranywhere.com\wwwcod
Trusted Zone: contactondemand.com\demo
Trusted Zone: crmondemand.com\secure-ausomxdsa
Trusted Zone: oracle.com
Trusted Zone: oracleads.com
Trusted Zone: oraclecorp.com\global-service
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {0D33A8D6-4481-4D2C-A6B2-4894ADCEE173} - hxxp://localhost:8080/21039/applets/SiebelAx_OutBound_mail.cab
DPF: {12CDD9A8-9D52-4B05-BF24-38DE8B1A964F} - hxxp://localhost:8080/21111/applets/SiebelAx_Prodselection.cab
DPF: {1EDFFE1E-C36E-42BC-9275-0B21EECBEEF5} - hxxp://wp7038.oracleads.com/epharma_enu/20408/applets/SiebelAx_Container_Control.cab
DPF: {30C1F757-58DC-45A1-9135-D4AB30932E62} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_iHelp.cab
DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_Catalog_Navigator.cab
DPF: {37BB9B0D-0A10-4188-8726-78D91FD76D72} - hxxp://localhost:8080/21111/applets/SiebelAx_CTI_Toolbar.cab
DPF: {3C29B5A7-E907-4145-9468-7D50941D17E2} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_Marketing_HTML_Editor.cab
DPF: {3DC04435-457B-4500-9580-41623BA1A51C} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_Gantt_Chart.cab
DPF: {418BEDC9-A6B6-4139-8EA8-E7EF3B72D06F} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Prodselection.cab
DPF: {49BAA7E0-E7AE-4559-8B80-874035AF92B5} - hxxp://localhost:8080/21039/applets/SiebelAx_CTI_Toolbar.cab
DPF: {4D9EEA16-4F90-419C-9CDB-971328E01D33} - hxxp://localhost:8080/21039/applets/SiebelAx_iHelp.cab
DPF: {510F7D77-85EE-4D67-95CA-1558F3791FD0} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_HI_Client.cab
DPF: {5E3EDD4D-06E9-4646-A0C4-6882F217F8BC} - hxxp://localhost:8080/21111/applets/SiebelAx_HI_Client.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {7CA6EAD6-196D-4B92-807E-5F7972823A47} - hxxp://wp7124.oracleads.com/epharma_enu/20405/applets/SiebelAx_Container_Control.cab
DPF: {819647C8-39C0-4C59-811C-928277815701} - hxxp://ebiz.corp.siebel.com/callcenter/19221/applets/SiebelAx_OutBound_mail.cab
DPF: {82A019FE-4A3F-4F25-AD31-EEB33711C683} - hxxp://wp7086.oracleads.com/callcenter_enu/20408/applets/SiebelAx_Gantt_Chart.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Desktop_Integration.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://wa7048.oracleads.com/jump/msrdp.cab
DPF: {964E1D93-520D-4282-9939-DA008B733D1D} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_Marketing_Allocation.cab
DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_HI_Client.cab
DPF: {A81B7881-675F-4229-BEBC-64E35E9EDA85} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Configurator.cab
DPF: {ACB6C132-477B-4B80-AF36-03DE847736E6} - hxxp://wp7107.oracleads.com/callcenter_enu/20405/applets/SiebelAx_Smartscript.cab
DPF: {ACE5BEC8-7177-41DB-8182-798547D9736F} - hxxp://wp7107.oracleads.com/callcenter_enu/20405/applets/SiebelAx_CTI_Toolbar.cab
DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_Prodselection.cab
DPF: {AEEBD195-3345-4E26-96DD-88B73EABC5E8} - hxxp://wa7016.oracleads.com/htim_enu/19223/applets/SiebelAx_Configurator.cab
DPF: {AFBAD129-7A2E-46FE-9D0B-4E48780BE20F} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_OutBound_mail.cab
DPF: {B1FC8390-3058-4776-8103-9B6D3ABE62E0} - hxxp://wa7007.oracleads.com/htim_enu/20405/applets/SiebelAx_Configurator.cab
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://adc-tele-sslvpn.oracle.com/prx/000/http/localhost/arr_x.cab
DPF: {BD947957-E328-41F5-BA03-689D61A056CF} - hxxp://localhost:8080/21039/applets/SiebelAx_HI_Client.cab
DPF: {C2EB5866-5307-4C45-B080-D5A9371B21CC} - hxxp://wa7055.oracleads.com/sales_enu/20408/applets/SiebelAx_CTI_Toolbar.cab
DPF: {CA99DA29-666E-4C99-96F7-59B67DF04E2B} - hxxp://localhost:8080/21111/applets/SiebelAx_OutBound_mail.cab
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF5D6725-D5A1-4E36-B44C-D91DD158BC34} - hxxp://localhost:8080/21111/applets/SiebelAx_Catalog_Navigator.cab
DPF: {CF76A11E-B608-4CC4-A2B8-61BDDA22E6E6} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_OutBound_mail.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA97F98C-1479-40CB-B080-3516CB84C2B4} - hxxp://wa7506.oracleads.com/callcenter_enu/21039/applets/SiebelAx_ChatUI.cab
DPF: {DAE71237-62C6-498F-A215-096F0F93DB03} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Catalog_Navigator.cab
DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxp://ebiz.corp.siebel.com/callcenter/19221/applets/SiebelAx_HI_Client.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://verifone.webex.com/client/T26L/training/ieatgpc.cab
DPF: {E115DFA5-F746-49E7-9206-5084117AE67F} - hxxp://wp7034.oracleads.com/epharma_enu/20408/applets/SiebelAx_Calendar.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file://f:\tools\en\bin\npseatools.cab
DPF: {E417049E-E890-490D-9F94-A447ED674205} - hxxp://wa7034.oracleads.com/callcenter_enu/20408/applets/SiebelAx_iHelp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.oracleads.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E90CC2A3-0116-4676-A25B-8B749CA561D7} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Smartscript.cab
DPF: {EAF60EC0-52EF-49EE-90FC-CC56D72B520D} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_Calendar.cab
DPF: {EFB7D763-97A3-11CF-AE19-00608CEADE00} - hxxp://wp7124.oracleads.com/epharma_enu/20405/applets/iTools.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper-dev.oracleads.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://adcns.oracleads.com/vpns/scripts/nsload.ocx
TCP: {12299B8E-0AEB-4324-B87F-43147826FF2D} = 144.20.190.70,130.35.249.41,130.35.249.52
TCP: {E5AC3D83-3B80-4992-BE92-9A21601ED8CA} = 66.174.92.14 69.78.96.14
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 192.168.3.1 MANAKAMU-us.us.oracle.com
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\manakamu\applic~1\mozilla\firefox\profiles\4voo73b6.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - prefs.js: network.proxy.type - 2
FF - component: d:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\manakamu\application data\mozilla\firefox\profiles\4voo73b6.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13121.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-23 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-12-1 343760]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R2 Array_Utility_Service8.4.0.264;Array Utility Service 8,4,0,264;c:\program files\array networks\common\8,4,0,264\arr_isrv.exe [2010-4-26 398768]
R2 ArraySSL_VPN_Service8.4.0.264;Array SSL VPN Service 8,4,0,264;c:\program files\array networks\array ssl vpn\8,4,0,264\arr_srvs.exe [2010-4-26 239024]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2009-10-20 1489984]
R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-12-1 35696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-12-1 70728]
R2 MyDesktopWindows;MyDesktopService;c:\windows\orclobi\mydesktop\MyDesktopService.exe [2010-4-21 1032192]
R2 ns80573;ns80573;c:\windows\system32\ns80573.sys [2009-3-20 42360]
R2 nsverctl;NetScaler SSL VPN Version Control;c:\program files\netscaler\netscaler secure remote access\nsverctl.exe [2009-3-20 53248]
R2 QOSMyDesktop;QOS MyDesktop;c:\windows\orclobi\mydesktop\MyDesktopQOS.exe [2009-10-13 470016]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2009-12-1 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2009-12-1 107960]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2009-12-1 38680]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2009-12-1 35584]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-3-20 43640]
R3 owcmirrorV1;owcmirrorV1;c:\windows\system32\drivers\owcmirrorminiV1.sys [2010-2-1 3712]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S2 PMEMNT;PMEMNT;\??\c:\windows\pmemnt.sys --> c:\windows\pmemnt.sys [?]
S3 ATP;ArrayNetworks SSL VPN Miniport Driver;c:\windows\system32\drivers\atpdrvr.sys [2010-4-26 16256]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-26 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-26 3072]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2009-12-1 44680]
S3 ocautoupds;Oracle Connector Automatic Updates Service;c:\program files\oracle\outlook connector\ocautoupds.exe [2008-8-1 69632]
S3 Oracle BI Cluster Controller;Oracle BI Cluster Controller;d:\oraclebi\server\bin\NQSClusterController.exe [2009-7-27 33792]
S3 Oracle BI Scheduler;Oracle BI Scheduler;d:\oraclebi\server\bin\NQScheduler.exe [2009-7-27 122880]
S3 Oracle BI Server;Oracle BI Server;d:\oraclebi\server\bin\NQSServer.exe [2009-7-27 49152]
S3 OracleOraDb11g_home1ConfigurationManager;OracleOraDb11g_home1ConfigurationManager;d:\app\manakamu\product\111~1.0\db_1\ccr\bin\nmz.exe d:\app\manakamu\product\111~1.0\db_1\ccr --> d:\app\manakamu\product\111~1.0\db_1\ccr\bin\nmz.exe d:\app\manakamu\product\111~1.0\db_1\ccr [?]
S3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;d:\app\manakamu\product\11.1.0\db_1\bin\tnslsnr --> d:\app\manakamu\product\11.1.0\db_1\bin\TNSLSNR [?]
S3 OracleServiceORCL;OracleServiceORCL;d:\app\manakamu\product\11.1.0\db_1\bin\oracle.exe orcl --> d:\app\manakamu\product\11.1.0\db_1\bin\ORACLE.EXE ORCL [?]
S3 sawjavahostsvc;Oracle BI Java Host;d:\oraclebi\web\bin\sawjavahostsvc.exe [2009-7-27 94208]
S3 sawsvc;Oracle BI Presentation Server;d:\oraclebi\web\bin\sawserver.exe [2009-7-27 86016]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;d:\app\manakamu\product\11.1.0\db_1\bin\extjob.exe orcl --> d:\app\manakamu\product\11.1.0\db_1\bin\extjob.exe ORCL [?]
S4 vsdatant;vsdatant; [x]
UnknownUnknown dsload;dsload; [x]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2010-06-02 00:38:48 39816 ----a-w- c:\windows\system32\HIPIS0e011af.dll
2010-06-02 00:38:48 113 ----a-w- c:\windows\system32\api_hook_list.dat
2010-06-02 00:36:43 20 ----a-w- c:\documents and settings\manakamu\defogger_reenable
2010-05-31 22:50:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-22 07:48:16 0 d-----w- c:\program files\iPod
2010-05-22 07:48:10 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 07:40:40 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 15:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-27 01:40:49 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2010-03-17 15:51:42 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-03-10 17:05:50 247216 ----a-w- c:\windows\system32\ArrayApi.dll
2010-03-10 17:05:44 140720 ----a-w- c:\windows\system32\arr_launch.exe
2010-03-10 17:05:42 79280 ----a-w- c:\windows\system32\arr_getp.exe
2010-03-10 17:03:06 90112 ----a-w- c:\windows\system32\arr_ndjni.dll
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-05 18:45:51 456704 ------w- c:\windows\system32\dllcache\smtpsvc.dll
2009-10-07 21:09:08 226960 ----a-w- c:\program files\cnsload_1254949748795.tmp
2006-02-13 18:32:02 9665 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 17:49:02.62 ===============


Any help would be appreciated.

Thanks,

Mark




Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:54 PM

Posted 06 June 2010 - 11:33 AM

Hello mn3

Welcome to BleepingComputer smile.gif
==========================
One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
========================
Download TDSSKiller and save it to your Desktop.
  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log
================
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by kahdah, 06 June 2010 - 11:34 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 mn3

mn3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 09 June 2010 - 11:36 PM

Hi Kahdah,

Thanks for the reply. Ran both TDSSKiller and ComboFix and the taskbar has returned back to normal and the network connection has returned. I've attached both log files.

Thanks,

Mark

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:54 PM

Posted 10 June 2010 - 06:43 AM

You are welcome.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 mn3

mn3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 10 June 2010 - 04:24 PM

MalewareBytes' Anti-Malware updated and run.

Here's the report that it generated:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4187

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/10/2010 1:51:32 PM
mbam-log-2010-06-10 (13-51-32).txt

Scan type: Quick scan
Objects scanned: 143858
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Mark

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:54 PM

Posted 11 June 2010 - 06:21 AM

Great post the Kaspersky log when you can.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 mn3

mn3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 11 June 2010 - 12:44 PM

Oops. Missed that part of the post. Will post later tonight when I get home.

Mark

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:54 PM

Posted 11 June 2010 - 01:24 PM

OK no problem post it when you get it done. smile.gif
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 mn3

mn3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 12 June 2010 - 04:33 PM

Ran Kaspersky and here are the results:

Saturday, June 12, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, June 11, 2010 23:16:03
Records in database: 4260874


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Objects scanned 490006
Threats found 1
Infected objects found 3
Suspicious objects found 0
Scan duration 12:52:27

File name Threat Threats count
C:\Documents and Settings\manakamu\Application Data\Sun\Java\Deployment\cache\6.0\58\63937d7a-6eb2f4a5 Infected: Trojan-Downloader.Java.Agent.en 3

Selected area has been scanned.


Mark

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:54 PM

Posted 12 June 2010 - 06:08 PM

I will need you to show hidden Files \Folders.
To do this:
    *Click Start.
    *Open My Computer.
    *Select the Tools menu and click Folder Options.
    *Select the View Tab.
    *Under the Hidden files and folders heading select Show hidden files and folders.
    *Uncheck the Hide protected operating system files (recommended) option.
    *Click Yes to confirm.
    *Click OK

After that using Windows Explorer (to get there right-click your Start button and go to "Explore")
Delete this file listed below:
C:\Documents and Settings\manakamu\Application Data\Sun\Java\Deployment\cache\6.0\58\63937d7a-6eb2f4a5

Now close Windows Explorer.

Now reset your Hidden files\folders to hidden.
To do this:
To reset:
    *Click Start.
    *Open My Computer.
    *Select the Tools menu and click Folder Options.
    *Select the View Tab.
    *Under the Hidden files and folders heading select Do not Show hidden files and folders.
    *Check the Hide protected operating system files (recommended) option.
    *Click Yes to confirm.
    *Click OK
=============
After that run dds once more and post only the DDS.txt that opens.
Let me know how it is running and if there are anymore issues.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 mn3

mn3
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 12 June 2010 - 07:29 PM

Ran DDS and here are the results of the DDS.txt file:

DDS (Ver_10-03-17.01) - NTFSx86
Run by manakamu at 17:26:24.81 on Sat 06/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2280 [GMT -7:00]

FW: McAfee Host Intrusion Prevention Firewall *disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Array Networks\Common\8,4,0,264\arr_isrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Array Networks\Array SSL VPN\8,4,0,264\arr_srvs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\NetScaler\NetScaler Secure Remote Access\nsverctl.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\manakamu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.oracle.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe
uInternet Settings,ProxyServer = guest.hds.com:8080
uInternet Settings,ProxyOverride = ;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - d:\program files\orbitdownloader\orbitcth.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - d:\program files\orbitdownloader\GrabPro.dll
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ntpgds] c:\windows\orclobi\synctime.exe
mRun: [TweakAutomaticUpdates] c:\windows\orclobi\gdswsuspatch_soon.exe /s
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AutoProfileRepair] "c:\program files\oracle\outlook connector\profilerepair.exe" -msi
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [FirefoxConfig] c:\windows\orclobi\config\firefoxconfig.exe
dRunOnce: [ThunderbirdConfig] c:\windows\orclobi\config\tbirdconfig.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\netscaler\netscaler secure remote access\nsload.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\Orbit.lnk -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Download by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - d:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: callcenteranywhere.com\wwwcod
Trusted Zone: contactondemand.com\demo
Trusted Zone: crmondemand.com\secure-ausomxdsa
Trusted Zone: oracle.com
Trusted Zone: oracleads.com
Trusted Zone: oraclecorp.com\global-service
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {0D33A8D6-4481-4D2C-A6B2-4894ADCEE173} - hxxp://localhost:8080/21039/applets/SiebelAx_OutBound_mail.cab
DPF: {12CDD9A8-9D52-4B05-BF24-38DE8B1A964F} - hxxp://localhost:8080/21111/applets/SiebelAx_Prodselection.cab
DPF: {1EDFFE1E-C36E-42BC-9275-0B21EECBEEF5} - hxxp://wp7038.oracleads.com/epharma_enu/20408/applets/SiebelAx_Container_Control.cab
DPF: {30C1F757-58DC-45A1-9135-D4AB30932E62} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_iHelp.cab
DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_Catalog_Navigator.cab
DPF: {37BB9B0D-0A10-4188-8726-78D91FD76D72} - hxxp://localhost:8080/21111/applets/SiebelAx_CTI_Toolbar.cab
DPF: {3C29B5A7-E907-4145-9468-7D50941D17E2} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_Marketing_HTML_Editor.cab
DPF: {3DC04435-457B-4500-9580-41623BA1A51C} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_Gantt_Chart.cab
DPF: {418BEDC9-A6B6-4139-8EA8-E7EF3B72D06F} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Prodselection.cab
DPF: {49BAA7E0-E7AE-4559-8B80-874035AF92B5} - hxxp://localhost:8080/21039/applets/SiebelAx_CTI_Toolbar.cab
DPF: {4D9EEA16-4F90-419C-9CDB-971328E01D33} - hxxp://localhost:8080/21039/applets/SiebelAx_iHelp.cab
DPF: {510F7D77-85EE-4D67-95CA-1558F3791FD0} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_HI_Client.cab
DPF: {5E3EDD4D-06E9-4646-A0C4-6882F217F8BC} - hxxp://localhost:8080/21111/applets/SiebelAx_HI_Client.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {7CA6EAD6-196D-4B92-807E-5F7972823A47} - hxxp://wp7124.oracleads.com/epharma_enu/20405/applets/SiebelAx_Container_Control.cab
DPF: {819647C8-39C0-4C59-811C-928277815701} - hxxp://ebiz.corp.siebel.com/callcenter/19221/applets/SiebelAx_OutBound_mail.cab
DPF: {82A019FE-4A3F-4F25-AD31-EEB33711C683} - hxxp://wp7086.oracleads.com/callcenter_enu/20408/applets/SiebelAx_Gantt_Chart.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Desktop_Integration.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://wa7048.oracleads.com/jump/msrdp.cab
DPF: {964E1D93-520D-4282-9939-DA008B733D1D} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_Marketing_Allocation.cab
DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_HI_Client.cab
DPF: {A81B7881-675F-4229-BEBC-64E35E9EDA85} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Configurator.cab
DPF: {ACB6C132-477B-4B80-AF36-03DE847736E6} - hxxp://wp7107.oracleads.com/callcenter_enu/20405/applets/SiebelAx_Smartscript.cab
DPF: {ACE5BEC8-7177-41DB-8182-798547D9736F} - hxxp://wp7107.oracleads.com/callcenter_enu/20405/applets/SiebelAx_CTI_Toolbar.cab
DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_Prodselection.cab
DPF: {AEEBD195-3345-4E26-96DD-88B73EABC5E8} - hxxp://wa7016.oracleads.com/htim_enu/19223/applets/SiebelAx_Configurator.cab
DPF: {AFBAD129-7A2E-46FE-9D0B-4E48780BE20F} - hxxp://wp7107.oracleads.com/marketing_enu/20405/applets/SiebelAx_OutBound_mail.cab
DPF: {B1FC8390-3058-4776-8103-9B6D3ABE62E0} - hxxp://wa7007.oracleads.com/htim_enu/20405/applets/SiebelAx_Configurator.cab
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://adc-tele-sslvpn.oracle.com/prx/000/http/localhost/arr_x.cab
DPF: {BD947957-E328-41F5-BA03-689D61A056CF} - hxxp://localhost:8080/21039/applets/SiebelAx_HI_Client.cab
DPF: {C2EB5866-5307-4C45-B080-D5A9371B21CC} - hxxp://wa7055.oracleads.com/sales_enu/20408/applets/SiebelAx_CTI_Toolbar.cab
DPF: {CA99DA29-666E-4C99-96F7-59B67DF04E2B} - hxxp://localhost:8080/21111/applets/SiebelAx_OutBound_mail.cab
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF5D6725-D5A1-4E36-B44C-D91DD158BC34} - hxxp://localhost:8080/21111/applets/SiebelAx_Catalog_Navigator.cab
DPF: {CF76A11E-B608-4CC4-A2B8-61BDDA22E6E6} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_OutBound_mail.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA97F98C-1479-40CB-B080-3516CB84C2B4} - hxxp://wa7506.oracleads.com/callcenter_enu/21039/applets/SiebelAx_ChatUI.cab
DPF: {DAE71237-62C6-498F-A215-096F0F93DB03} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Catalog_Navigator.cab
DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxp://ebiz.corp.siebel.com/callcenter/19221/applets/SiebelAx_HI_Client.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://verifone.webex.com/client/T26L/training/ieatgpc.cab
DPF: {E115DFA5-F746-49E7-9206-5084117AE67F} - hxxp://wp7034.oracleads.com/epharma_enu/20408/applets/SiebelAx_Calendar.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file://f:\tools\en\bin\npseatools.cab
DPF: {E417049E-E890-490D-9F94-A447ED674205} - hxxp://wa7034.oracleads.com/callcenter_enu/20408/applets/SiebelAx_iHelp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.oracleads.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E90CC2A3-0116-4676-A25B-8B749CA561D7} - hxxp://wa7048.oracleads.com/sales_enu/20408/applets/SiebelAx_Smartscript.cab
DPF: {EAF60EC0-52EF-49EE-90FC-CC56D72B520D} - hxxp://wp7107.oracleads.com/sales_enu/20405/applets/SiebelAx_Calendar.cab
DPF: {EFB7D763-97A3-11CF-AE19-00608CEADE00} - hxxp://wp7124.oracleads.com/epharma_enu/20405/applets/iTools.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper-dev.oracleads.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://adcns.oracleads.com/vpns/scripts/nsload.ocx
TCP: {12299B8E-0AEB-4324-B87F-43147826FF2D} = 144.20.190.70,130.35.249.41,130.35.249.52
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\manakamu\applic~1\mozilla\firefox\profiles\4voo73b6.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - prefs.js: network.proxy.type - 2
FF - component: d:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\manakamu\application data\mozilla\firefox\profiles\4voo73b6.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13121.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-12-1 343760]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R2 Array_Utility_Service8.4.0.264;Array Utility Service 8,4,0,264;c:\program files\array networks\common\8,4,0,264\arr_isrv.exe [2010-4-26 398768]
R2 ArraySSL_VPN_Service8.4.0.264;Array SSL VPN Service 8,4,0,264;c:\program files\array networks\array ssl vpn\8,4,0,264\arr_srvs.exe [2010-4-26 239024]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2009-10-20 1489984]
R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-12-1 35696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-12-1 70728]
R2 MyDesktopWindows;MyDesktopService;c:\windows\orclobi\mydesktop\MyDesktopService.exe [2010-4-21 1032192]
R2 ns80573;ns80573;c:\windows\system32\ns80573.sys [2009-3-20 42360]
R2 nsverctl;NetScaler SSL VPN Version Control;c:\program files\netscaler\netscaler secure remote access\nsverctl.exe [2009-3-20 53248]
R2 QOSMyDesktop;QOS MyDesktop;c:\windows\orclobi\mydesktop\MyDesktopQOS.exe [2009-10-13 470016]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2009-12-1 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2009-12-1 107960]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2009-12-1 38680]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2009-12-1 35584]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-3-20 43640]
R3 owcmirrorV1;owcmirrorV1;c:\windows\system32\drivers\owcmirrorminiV1.sys [2010-2-1 3712]
S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-3 64288]
S2 PMEMNT;PMEMNT;\??\c:\windows\pmemnt.sys --> c:\windows\pmemnt.sys [?]
S3 ATP;ArrayNetworks SSL VPN Miniport Driver;c:\windows\system32\drivers\atpdrvr.sys [2010-4-26 16256]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-26 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-26 3072]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2009-12-1 44680]
S3 ocautoupds;Oracle Connector Automatic Updates Service;c:\program files\oracle\outlook connector\ocautoupds.exe [2008-8-1 69632]
S3 Oracle BI Cluster Controller;Oracle BI Cluster Controller;d:\oraclebi\server\bin\NQSClusterController.exe [2009-7-27 33792]
S3 Oracle BI Scheduler;Oracle BI Scheduler;d:\oraclebi\server\bin\NQScheduler.exe [2009-7-27 122880]
S3 Oracle BI Server;Oracle BI Server;d:\oraclebi\server\bin\NQSServer.exe [2009-7-27 49152]
S3 OracleOraDb11g_home1ConfigurationManager;OracleOraDb11g_home1ConfigurationManager;d:\app\manakamu\product\111~1.0\db_1\ccr\bin\nmz.exe d:\app\manakamu\product\111~1.0\db_1\ccr --> d:\app\manakamu\product\111~1.0\db_1\ccr\bin\nmz.exe d:\app\manakamu\product\111~1.0\db_1\ccr [?]
S3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;d:\app\manakamu\product\11.1.0\db_1\bin\tnslsnr --> d:\app\manakamu\product\11.1.0\db_1\bin\TNSLSNR [?]
S3 OracleServiceORCL;OracleServiceORCL;d:\app\manakamu\product\11.1.0\db_1\bin\oracle.exe orcl --> d:\app\manakamu\product\11.1.0\db_1\bin\ORACLE.EXE ORCL [?]
S3 sawjavahostsvc;Oracle BI Java Host;d:\oraclebi\web\bin\sawjavahostsvc.exe [2009-7-27 94208]
S3 sawsvc;Oracle BI Presentation Server;d:\oraclebi\web\bin\sawserver.exe [2009-7-27 86016]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;d:\app\manakamu\product\11.1.0\db_1\bin\extjob.exe orcl --> d:\app\manakamu\product\11.1.0\db_1\bin\extjob.exe ORCL [?]
S4 vsdatant;vsdatant; [x]
UnknownUnknown dsload;dsload; [x]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2010-06-10 06:01:50 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-10 04:47:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-10 04:27:40 39816 ----a-w- c:\windows\system32\HIPIS0e011af.dll
2010-06-10 04:27:40 113 ----a-w- c:\windows\system32\api_hook_list.dat
2010-06-10 03:25:04 98816 ----a-w- c:\windows\sed.exe
2010-06-10 03:25:04 77312 ----a-w- c:\windows\MBR.exe
2010-06-10 03:25:04 256512 ----a-w- c:\windows\PEV.exe
2010-06-10 03:25:04 161792 ----a-w- c:\windows\SWREG.exe
2010-06-03 22:20:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-03 21:00:34 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-03 21:00:15 0 d-----w- c:\program files\Lavasoft
2010-06-03 19:26:15 0 d-----w- c:\windows\SxsCaPendDel
2010-06-02 00:36:43 20 ----a-w- c:\documents and settings\manakamu\defogger_reenable
2010-05-31 22:50:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-22 07:48:16 0 d-----w- c:\program files\iPod
2010-05-22 07:48:10 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-22 07:40:40 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-06-10 03:18:14 49024 ----a-w- c:\windows\system32\drivers\ql1280.sys
2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 15:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-27 01:40:49 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2010-03-17 15:51:42 82696 ----a-w- c:\windows\system32\lmdimon8.dll

============= FINISH: 17:26:35.10 ===============


The PC seems to be running fine. The taskbar is back to it's normal color and I have internet connectivity once more. It's also not as sluggish as it was before.

Thanks for all your help kahdah.

Mark


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:54 PM

Posted 12 June 2010 - 08:36 PM

Great you are welcome. smile.gif

=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users