Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Google Re-Direct


  • This topic is locked This topic is locked
3 replies to this topic

#1 norcalcop

norcalcop

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 11 June 2011 - 04:56 AM

Connected at a hotel this weekend and got this infected on here. Running McAfee Enterprise 8.7 (Work Laptop) and getting the redirect on 90% of websites. Tried all the standard removals and here are my logs.

.
DDS (Ver_2011-06-11.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by kstead at 2:41:52 on 2011-06-11
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3036.1082 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\CmgShieldSvc.exe
C:\Windows\system32\EMSService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\IBM\Lotus\Notes\nslsvice.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\system32\gdi3232.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\Plugins\usage\discusge.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\ProgramData\umrdp32.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\System32\CmgShieldUI.exe
C:\Windows\System32\EmsServiceHelper.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Everything\Everything.exe
C:\Program Files\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Users\kstead\AppData\Local\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\Program Files\WebEx\Productivity Tools\ptim.exe
C:\Program Files\Hewlett-Packard\HP 3D DriveGuard\accelerometerST.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.4\slpcap.exe
C:\Program Files\WebEx\Productivity Tools\ptSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\kstead\Downloads\OTL.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Windows\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: {00797ec6-6c0b-462c-90c6-f7887064fa4f} - c:\windows\system32\aepic32.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
BHO: ec75c592: {993abbaa-3719-b9b0-723a-b5bd6f6fdc3a} - c:\programdata\aepic32.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Google Update] "c:\users\kstead\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [PTIM.exe] c:\program files\webex\productivity tools\PTIM.exe
uRun: [AccelerometerSysTrayApplet] "c:\program files\hewlett-packard\hp 3d driveguard\AccelerometerSt.Exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ISUSPM] c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\soundmax.exe /tray
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [EDFcsn] c:\program files\hewlett-packard\discovery agent\plugins\usage\discfcsn.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking11\Ereg.ini"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\smartc~1.lnk - c:\program files\seiko instruments usa inc\smart label printer 6.4\slpcap.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 8\SnagIt32.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: QuickLaunchEnabled = 1 (0x1)
uPolicies-explorer: TaskbarNoNotification = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: RestrictWelcomeCenter = 1 (0x1)
uPolicies-explorer: TaskbarNoRedock = 0 (0x0)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-explorer: DontSetAutoplayCheckbox = 1 (0x1)
mPolicies-explorer: NoAutorun = 1 (0x1)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableVirtualization = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Video Converter... - c:\program files\media player utilities 5.15\aviconverter\grab.html
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: catissue
Trusted Zone: hsmail
Trusted Zone: images
Trusted Zone: ucdavis.edu\catissue.ucdmc
Trusted Zone: ucdavis.edu\images.ucdmc
Trusted Zone: ucdavis.edu\outsideimages.ucdmc
Trusted Zone: ucdavis.edu\sharepoint.ucdmc
Trusted Zone: catissue
Trusted Zone: hsmail
Trusted Zone: images
Trusted Zone: ucdavis.edu\catissue.ucdmc
Trusted Zone: ucdavis.edu\images.ucdmc
Trusted Zone: ucdavis.edu\outsideimages.ucdmc
Trusted Zone: ucdavis.edu\sharepoint.ucdmc
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} - hxxp://draltiris01/Altiris/NS/NSCap/Bin/Win32/x86/AltirisNSConsole.cab
DPF: {7B5A802A-67CA-4A1B-8219-8929B3B23AFA} - hxxp://testvmonb01/AppNet/activex/OBXWebViewer.cab
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://testvmonb01/AppNet/activex/OBXPopup.cab
DPF: {A5AFA998-4529-45B4-B9F8-F69DF90D0F90} - hxxp://draltiris01/Altiris/NS/NSCap/Bin/Win32/X86/RcWebCab.CAB
DPF: {B9D9D0B5-EE16-4EB2-8CF3-DB96EBD31488} - hxxp://testvmonb01/AppNet/activex/OBXWebSelect.cab
DPF: {BEC2768D-297F-4A58-B004-DC0637A60F88} - hxxp://hswebasp02/stratacap7/SCapEC7.CAB
DPF: {CA37BD30-40D0-44A5-AEA0-285770E14AA9} - hxxp://draltiris01/Altiris/NS/NSCap/Bin/Win32/X86/CCConfig.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 4.2.2.1
TCP: Interfaces\{6DAD8F97-9BD2-48FE-8A9D-93507C910DF4} : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{6DAD8F97-9BD2-48FE-8A9D-93507C910DF4}\359454252514 : DhcpNameServer = 192.168.74.130
TCP: Interfaces\{6DAD8F97-9BD2-48FE-8A9D-93507C910DF4}\5736468637D20727F646 : DhcpNameServer = 152.79.105.105 152.79.115.115
TCP: Interfaces\{6DAD8F97-9BD2-48FE-8A9D-93507C910DF4}\65542525F4 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6DAD8F97-9BD2-48FE-8A9D-93507C910DF4}\8416E646C6562797F53516E6F5642716E636963736F6 : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{B8C1D502-59D8-4529-9964-4F40BEDCB4AA} : DhcpNameServer = 75.75.75.75 75.75.76.76
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kace\kontai~1\avildr.dll,c:\programdata\aepic32.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {439113CE-2797-47E8-BA3D-03F300777207} - "c:\program files\hummingbird\connectivity\13.00\accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1 LOGGINGLEVEL=5
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kstead\appdata\roaming\mozilla\firefox\profiles\2qq4uiba.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Firefox Add-ons
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\autodesk\autodesk design review firefox add-on v1.1\npADRdwf.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\kstead\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\kstead\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 CmgHiber;CmgHiber;c:\windows\system32\drivers\CmgHiber.sys [2010-6-30 101992]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2010-6-30 299624]
R0 CMGShieldReg;CMGShieldReg;c:\windows\system32\drivers\CmgShREG.sys [2010-6-30 22632]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-28 343920]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-9-15 116536]
R2 CMGShield;CMGShield;c:\windows\system32\CmgShieldSvc.exe [2010-1-12 2696616]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-12-13 296808]
R2 EMS;EMS;EMSService.exe --> EMSService.exe [?]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-6-15 26168]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\ibm\lotus\notes\nsd.exe [2010-11-13 3405192]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-7-28 70728]
R2 prgnDiscAgent;HP DDMI Agent;c:\program files\hewlett-packard\discovery agent\bin32\discagnt.exe [2011-3-16 775736]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-6-1 2337144]
R2 wcncsvc32;Windows Connect Now - Config Registrar ;c:\windows\system32\gdi3232.exe [2011-6-10 769536]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2010-3-1 482176]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-7-16 227896]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2010-7-16 221912]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-28 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-28 43288]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-7-16 49152]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
R4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-11 366640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2010-7-9 1053440]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-8-12 11264]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-28 66600]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\sony\sound organizer\sony.earth\PACSPTISVR.exe [2010-11-19 157024]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-24 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-24 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-16 1343400]
S3 wmamp3DriverV32;wmamp3DriverV32;c:\windows\system32\drivers\wmamp3DriverV32.sys [2010-8-5 23608]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
.scr=DWGTrueViewScriptFile
.
=============== Created Last 30 ================
.
2011-06-11 09:39:29 711728 ------w- c:\temp\_iu14D2N.tmp
2011-06-11 08:54:17 -------- dc----w- c:\users\kstead\appdata\local\MigWiz
2011-06-11 08:08:54 -------- d-----w- c:\users\kstead\appdata\roaming\Malwarebytes
2011-06-11 08:08:39 -------- d-----w- c:\programdata\Malwarebytes
2011-06-11 08:08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-11 07:36:11 -------- d-----w- C:\_OTM
2011-06-11 03:11:29 428032 ----a-w- c:\windows\WRServices.dll
2011-06-10 19:18:24 769536 ----a-w- c:\programdata\umrdp32.exe
2011-06-10 19:18:23 168960 ----a-w- c:\programdata\aepic32.dll
2011-06-10 19:18:22 769536 ----a-w- c:\windows\system32\gdi3232.exe
2011-06-10 19:18:20 350720 ----a-w- c:\windows\system32\aepic32.dll
2011-06-09 04:15:32 -------- d-----w- c:\program files\iPod
2011-06-08 14:23:49 -------- d-----w- c:\users\kstead\appdata\roaming\smkits
2011-06-08 03:31:51 -------- d-----w- c:\users\kstead\appdata\local\Oberon Media
2011-06-08 03:24:07 -------- d-----w- c:\users\kstead\appdata\roaming\Oberon Media
2011-06-05 05:17:25 -------- d-----w- c:\users\kstead\appdata\roaming\ABF software
2011-06-05 05:14:53 -------- d-----w- c:\program files\Audio Tags Editor
2011-06-05 03:51:35 -------- d-----w- c:\users\kstead\appdata\roaming\Nuance
2011-06-05 03:22:57 -------- d-----w- c:\program files\common files\IVA
2011-06-05 03:20:46 -------- d-----w- c:\program files\common files\Nuance
2011-06-05 03:07:39 -------- d-----w- c:\programdata\Nuance
2011-06-05 03:07:39 -------- d-----w- c:\program files\Nuance
2011-06-05 02:54:44 -------- d-----w- c:\programdata\Sony Corporation
2011-06-04 03:18:51 -------- d-----w- c:\program files\common files\Oberon Media
2011-06-04 03:18:36 -------- d-----w- c:\programdata\Oberon Media
2011-06-04 03:18:28 -------- d-----w- c:\program files\Oberon Media
2011-06-04 03:18:28 -------- d-----w- c:\program files\MSN Games
2011-05-17 15:52:32 -------- d-----w- c:\program files\common files\VideoDecoder
2011-05-17 02:34:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 19:05:45 3044216 ----a-w- c:\windows\system32\Uninstall.exe
.
==================== Find3M ====================
.
2011-06-11 09:12:49 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-04-20 20:46:26 215864 ----a-w- c:\windows\system32\atsckernel.exe
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 23:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: TOSHIBA_MK1656GSY rev.LH013C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82E4E000]<< >>UNKNOWN [0x8B600000]<< >>UNKNOWN [0x8B800000]<< >>UNKNOWN [0x8BBED000]<< >>UNKNOWN [0x82E17000]<< >>UNKNOWN [0x8B299000]<< >>UNKNOWN [0x8B4B4000]<< >>UNKNOWN [0x8B3D6000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x82E8552F] -> \Device\Harddisk0\DR0[0x865E1438]
\Driver\Disk[0x865DFF38] -> IRP_MJ_CREATE -> 0x8B60439F
3 [0x8B60459E] -> ntkrnlpa!IofCallDriver[0x82E8552F] -> [0x865E0598]
\Driver\hpdskflt[0x855A5C48] -> IRP_MJ_CREATE -> 0x8BBEEFB0
5 [0x8BBEF090] -> ntkrnlpa!IofCallDriver[0x82E8552F] -> [0x862C0918]
\Driver\ACPI[0x85526D30] -> IRP_MJ_CREATE -> 0x8B2A24CC
7 [0x8B2A23D4] -> ntkrnlpa!IofCallDriver[0x82E8552F] -> \Device\Ide\IdeDeviceP0T0L0-0[0x86310908]
\Driver\atapi[0x862E9BC0] -> IRP_MJ_CREATE -> 0x8B4CE8CC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 2:49:49.19 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-11.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 7/16/2010 1:27:52 PM
System Uptime: 6/11/2011 2:10:58 AM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 30E7
Processor: Intel® Core™2 Duo CPU P8700 @ 2.53GHz | Intel® Genuine processor | 2508/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 32.483 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 466 GiB total, 91.057 GiB free.
F: is Removable
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: HP LaserJet P4014
Device ID: ROOT\MULTIFUNCTION\0031
Manufacturer:
Name: HP LaserJet P4014
PNP Device ID: ROOT\MULTIFUNCTION\0031
Service:
.
Class GUID:
Description: HP LaserJet M4345 MFP
Device ID: ROOT\MULTIFUNCTION\0033
Manufacturer:
Name: HP LaserJet M4345 MFP
PNP Device ID: ROOT\MULTIFUNCTION\0033
Service:
.
Class GUID:
Description: Officejet 6500 E709n
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer:
Name: Officejet 6500 E709n
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID:
Description: HP LaserJet 4050 Series
Device ID: ROOT\MULTIFUNCTION\0039
Manufacturer:
Name: HP LaserJet 4050 Series
PNP Device ID: ROOT\MULTIFUNCTION\0039
Service:
.
Class GUID:
Description: HP Color LaserJet CP3525
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer:
Name: HP Color LaserJet CP3525
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
Class GUID:
Description: HP LaserJet 8000 Series
Device ID: ROOT\MULTIFUNCTION\0043
Manufacturer:
Name: HP LaserJet 8000 Series
PNP Device ID: ROOT\MULTIFUNCTION\0043
Service:
.
Class GUID:
Description: HP Color LaserJet CP3525
Device ID: ROOT\MULTIFUNCTION\0002
Manufacturer:
Name: HP Color LaserJet CP3525
PNP Device ID: ROOT\MULTIFUNCTION\0002
Service:
.
Class GUID:
Description: HP LaserJet 8000 Series
Device ID: ROOT\MULTIFUNCTION\0003
Manufacturer:
Name: HP LaserJet 8000 Series
PNP Device ID: ROOT\MULTIFUNCTION\0003
Service:
.
Class GUID:
Description: HP Color LaserJet CP3525
Device ID: ROOT\MULTIFUNCTION\0004
Manufacturer:
Name: HP Color LaserJet CP3525
PNP Device ID: ROOT\MULTIFUNCTION\0004
Service:
.
Class GUID:
Description: HP Color LaserJet CP3525
Device ID: ROOT\MULTIFUNCTION\0005
Manufacturer:
Name: HP Color LaserJet CP3525
PNP Device ID: ROOT\MULTIFUNCTION\0005
Service:
.
Class GUID:
Description: Officejet 6500 E709n
Device ID: ROOT\MULTIFUNCTION\0006
Manufacturer:
Name: Officejet 6500 E709n
PNP Device ID: ROOT\MULTIFUNCTION\0006
Service:
.
Class GUID:
Description: HP Color LaserJet CP3525
Device ID: ROOT\MULTIFUNCTION\0007
Manufacturer:
Name: HP Color LaserJet CP3525
PNP Device ID: ROOT\MULTIFUNCTION\0007
Service:
.
Class GUID:
Description: HP Color LaserJet CP3525
Device ID: ROOT\MULTIFUNCTION\0008
Manufacturer:
Name: HP Color LaserJet CP3525
PNP Device ID: ROOT\MULTIFUNCTION\0008
Service:
.
Class GUID:
Description: hp LaserJet 4350
Device ID: ROOT\MULTIFUNCTION\0009
Manufacturer:
Name: hp LaserJet 4350
PNP Device ID: ROOT\MULTIFUNCTION\0009
Service:
.
Class GUID:
Description: HP LaserJet 8000 Series
Device ID: ROOT\MULTIFUNCTION\0010
Manufacturer:
Name: HP LaserJet 8000 Series
PNP Device ID: ROOT\MULTIFUNCTION\0010
Service:
.
Class GUID:
Description: ADB
Device ID: USB\VID_0BB4&PID_0C02&MI_01\6&AC4BDE9&0&0001
Manufacturer:
Name: ADB
PNP Device ID: USB\VID_0BB4&PID_0C02&MI_01\6&AC4BDE9&0&0001
Service:
.
Class GUID:
Description: hp LaserJet 4350
Device ID: ROOT\MULTIFUNCTION\0011
Manufacturer:
Name: hp LaserJet 4350
PNP Device ID: ROOT\MULTIFUNCTION\0011
Service:
.
Class GUID:
Description: HP LaserJet 8000 Series
Device ID: ROOT\MULTIFUNCTION\0013
Manufacturer:
Name: HP LaserJet 8000 Series
PNP Device ID: ROOT\MULTIFUNCTION\0013
Service:
.
Class GUID:
Description: Officejet 6500 E709n
Device ID: ROOT\MULTIFUNCTION\0014
Manufacturer:
Name: Officejet 6500 E709n
PNP Device ID: ROOT\MULTIFUNCTION\0014
Service:
.
Class GUID:
Description: hp LaserJet 4250
Device ID: ROOT\MULTIFUNCTION\0015
Manufacturer:
Name: hp LaserJet 4250
PNP Device ID: ROOT\MULTIFUNCTION\0015
Service:
.
Class GUID:
Description: hp LaserJet 4350
Device ID: ROOT\MULTIFUNCTION\0019
Manufacturer:
Name: hp LaserJet 4350
PNP Device ID: ROOT\MULTIFUNCTION\0019
Service:
.
Class GUID:
Description: HP LaserJet P4014
Device ID: ROOT\MULTIFUNCTION\0024
Manufacturer:
Name: HP LaserJet P4014
PNP Device ID: ROOT\MULTIFUNCTION\0024
Service:
.
Class GUID:
Description: HP LaserJet 4050 Series
Device ID: ROOT\MULTIFUNCTION\0028
Manufacturer:
Name: HP LaserJet 4050 Series
PNP Device ID: ROOT\MULTIFUNCTION\0028
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
6500_E709_eDocs
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9.3.0 - CPSID_52073
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced Renamer
AHV content for Acrobat and Flash
AIM 7
Akamai NetSession Interface
Altiris NS Client
Altiris Software Delivery Solution Agent
Altiris Task Synchronization Agent
AnyBizSoft PDF Password Remover (Build 1.2.0)
AoA Audio Extractor
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.13 (Unicode)
Audio Tags Editor
Autodesk Design Review 2011
Autodesk Design Review Firefox Add-on v1.1
Bejeweled 3
BitTorrent
BlackBerry App World Browser Plugin
BlackBerry Desktop Software 6.1
BlackBerry Device Software v4.5.0 for the BlackBerry 8830 smartphone
Bonjour
bpd_scan
BPDSoftware
BPDSoftware_Ini
Broadcom 802.11 Wireless LAN Adapter
BufferChm
CanoScan Toolbox Ver4.1
CardRecovery 5.30
Cisco NAC Agent
Cisco WebEx Meeting Center for Firefox or Chrome
Cisco WebEx Meeting Center for Internet Explorer
Citrix Presentation Server Client
CMG Windows Shield
Crystal Reports 2008 SP3
D3DX10
Definition update for Microsoft Office 2010 (KB982726)
Dell Driver Download Manager
Destinations
DeviceDiscovery
Digital Voice Editor 3
DirectX 9 Runtime
DivX Setup
DocProc
Download Updater (AOL LLC)
Dragon NaturallySpeaking 11
DWG TrueView 2011
Elekta Impac SetupMosaiq 1.6.13 for MOSAIQ versions 1.6 to 2.2.
eReg
Everything 1.2.1.371
Fax
Feedback Tool
FileZilla Client 3.4.0
FLV Player 2.0 (build 25)
Google Chrome
Google Earth
Google Update Helper
GoToMeeting 4.5.0.457
GPBaseService2
Gtk# for .Net 2.12.9
HostExplorer 2008
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP 3D DriveGuard
HP Customer Participation Program 13.0
HP DDM Inventory Agent (x86) 7.70.000.1424
HP Imaging Device Functions 13.0
HP Officejet 6500 E709 Series
HP Officejet 6500 E710n-z Basic Device Software
HP Officejet 6500 E710n-z Help
HP Officejet 6500 E710n-z Product Improvement Study
HP Product Detection
HP Quick Launch Buttons
HP Smart Web Printing 4.51
HP Solution Center 13.0
HP Update
HP Webcam
HP Webcam Application
HPDiagnosticAlert
HPProductAssistant
HPSSupply
I.R.I.S. OCR
ImgBurn
Intel® Network Connections Drivers
iSiteEnterprise 3.6.87.0
IsmClientComponents
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 18
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 23
Junk Mail filter update
LightScribe System Software
LightScribe Template Labeler
Logitech SetPoint 6.15
Lotus Notes 8.5.1
LSI HDA Modem
MarketResearch
McAfee Agent
McAfee VirusScan Enterprise
Media Player Utilities 5.15
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Image Composite Editor
Microsoft IntelliPoint 7.0
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove MUI (English) 2010
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Project MUI (English) 2010
Microsoft Office Project Professional 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Visio 2010
Microsoft Office Visio MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Project Professional 2010
Microsoft Report Viewer Redistributable 2005
Microsoft Robocopy GUI
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Management Studio
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 Policies
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Compact 3.5 SP1 Query Tools English
Microsoft Visio Premium 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio Tools for Applications 2.0 - ENU
MobileMe Control Panel
Moffsoft FreeCalc
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MyFax® Print-to-Fax Assistant
Nero 7 Ultra Edition
neroxml
Network
Notepad++
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
PDF Settings
Picasa 3
Pinta 0.6
PokerStars.net
QLBCASL
Query Tool (using ODBC) 6.1
QuickTime
RICOH Media Driver
RocketDock 1.3.5
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Business
Roxio Creator Business v10
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Excel 2010 (KB2466146)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft PowerPoint 2010 (KB2519975)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Shop for HP Supplies
Smart Label Printer 6.4
SmartWebPrinting
SnagIt 8
SolutionCenter
Sonic CinePlayer Decoder Pack
Sound Organizer
SoundMAX
Status
Synaptics Pointing Device Driver
Synergy
TeamViewer 6
Toolbox
TrayApp
Trillian
Unity Web Player
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
VC80CRTRedist - 8.0.50727.4053
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking
WebEx
WebEx Productivity Tools
WebReg
Windows Driver Package - Hewlett-Packard Image (05/15/2008 11.5.0.116)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Windows Resource Kit Tools
WinRAR archiver
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
6/8/2011 7:10:43 AM, Error: atikmdag [43035] - EDID is not supported on this display
6/7/2011 4:45:41 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
6/7/2011 4:04:00 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
6/7/2011 4:03:55 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.
6/6/2011 7:38:39 AM, Error: Service Control Manager [7034] - The Interactive Services Detection service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 7:28:53 AM, Error: Service Control Manager [7034] - The Multi-user Cleanup Service service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 7:28:49 AM, Error: Service Control Manager [7034] - The Lotus Notes Single Logon service terminated unexpectedly. It has done this 1 time(s).
6/4/2011 8:24:38 PM, Error: Service Control Manager [7030] - The Dragon Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
6/4/2011 7:58:27 PM, Error: Service Control Manager [7030] - The PACSPTISVR-Sound_Organizer service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
6/11/2011 2:23:21 AM, Error: Service Control Manager [7034] - The Cisco NAC Agent service terminated unexpectedly. It has done this 1 time(s).
6/11/2011 2:19:51 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 2 time(s).
6/11/2011 2:17:47 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
6/11/2011 2:17:34 AM, Error: Service Control Manager [7022] - The Windows Search service hung on starting.
6/11/2011 2:17:09 AM, Error: Service Control Manager [7034] - The Altiris Agent service terminated unexpectedly. It has done this 1 time(s).
6/11/2011 2:17:01 AM, Error: Service Control Manager [7034] - The Altiris Client Service service terminated unexpectedly. It has done this 1 time(s).
6/11/2011 2:16:21 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
6/11/2011 2:14:31 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
6/11/2011 2:13:43 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
6/11/2011 2:12:03 AM, Error: Service Control Manager [7000] - The Access Utility Service service failed to start due to the following error: The system cannot find the file specified.
6/11/2011 2:12:03 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain HS due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
6/11/2011 2:11:48 AM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
6/11/2011 2:11:48 AM, Error: atikmdag [43029] - Display is not active
6/11/2011 2:07:12 AM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:53 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
6/11/2011 2:05:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
6/11/2011 2:05:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
6/11/2011 2:05:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/11/2011 2:05:37 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/11/2011 2:05:26 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/11/2011 2:05:12 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache mfehidk mfetdik NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
6/11/2011 2:05:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
6/11/2011 2:05:11 AM, Error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The Simple TCP/IP Services service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The Netlogon service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/11/2011 2:05:08 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/11/2011 12:35:34 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
6/11/2011 1:29:41 AM, Error: Service Control Manager [7031] - The CMGShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Reboot the machine.
6/11/2011 1:29:02 AM, Error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
6/10/2011 11:51:57 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CMGShield service.
.
==== End Of File ===========================

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-11 02:56:00
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1656GSY rev.LH013C
Running: gmer.exe; Driver: C:\TEMP\kgrdrpog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x8B7C668A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8B7C65E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8B7C65FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8B7C6612]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8B7C664E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8B7C669E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x8B7C6676]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x8B7C6662]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8B7C663A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8B7C6626]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B7C65D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs CMGShCEF.sys (CMG Shield for Windows Driver/CREDANT Technologies, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

FYI, Ran Kaperski with no luck. Downloaded the McAfee fix for this rootkit, can't find it either. Everything is still there.

About ready to pull my data off and reimage...

EDIT: Posts merged ~Budapest

Edited by Budapest, 11 June 2011 - 05:09 PM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:53 PM

Posted 14 June 2011 - 03:29 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:53 PM

Posted 16 June 2011 - 10:41 AM

Hi!

It's been several days since I last posted instructions for you to complete. Do you still require assistance in getting your computer cleaned up?

Please Note: Unless notified in advance, threads with no response in 3 days get closed.

Thanks,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:53 PM

Posted 17 June 2011 - 08:29 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users