Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.ZeroAccess! infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 shortysclimbin

shortysclimbin

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 06 September 2011 - 04:13 PM

Hello and Thank you in advance for any help!

I am having major issues with a rather nasty case of trojans and viruses taking over. Mcafee reported the following, but was not able to delete them in safemode and shuts down in normal windows xp pro:

w32/katusha
Zeroaccess.a
Generic backdoor!dn
Generic rootkit.ev

Further digging I was finding like always mcafee is almost always useless and hindered on removing these things. I have done some general searching, but was not able to find key files related to the above.


I have then ran Combofix which also detected Rootkit.zeroaccess! The log follows below, please advise on any other items I should remove.
___________________________________________

ComboFix 11-09-06.03 - klevesqu 2011-09-06 16:26:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1585 [GMT -4:00]
Running from: d:\documents and settings\klevesqu\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB44287$
c:\windows\$NtUninstallKB44287$\217113068
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\calc.exe
c:\windows\Client.ini
c:\windows\dasetup.log
c:\windows\system32\CF14871.exe
c:\windows\system32\comct332.ocx
c:\windows\system32\inf
c:\windows\system32\inf\Walldata.inf
d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL2.tmp.95a6409a.ini
d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL54.tmp.39259ba9.ini
d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL6.tmp.a557bc9e.ini
d:\documents and settings\klevesqu\Application Data\Adobe\plugs
d:\documents and settings\klevesqu\Application Data\Adobe\plugs\mmc130.exe
d:\documents and settings\klevesqu\Application Data\Adobe\plugs\mmc1382191046.txt
d:\documents and settings\klevesqu\Application Data\Adobe\plugs\mmc1382209796.txt
d:\documents and settings\klevesqu\Application Data\Adobe\plugs\mmc200.exe
d:\documents and settings\klevesqu\Application Data\Adobe\plugs\mmc223.exe
d:\documents and settings\klevesqu\Application Data\Adobe\shed
d:\documents and settings\klevesqu\Application Data\Adobe\shed\thr1.chm
d:\documents and settings\klevesqu\Local Settings\Application Data\ApplicationHistory
d:\documents and settings\klevesqu\Local Settings\Application Data\ApplicationHistory\MSI69.tmp.3990c05d.ini
d:\documents and settings\klevesqu\Local Settings\Application Data\ApplicationHistory\MSI6A.tmp.d67f9885.ini
d:\documents and settings\klevesqu\Local Settings\Application Data\ApplicationHistory\MSIB1.tmp.e9ce7f29.ini
d:\documents and settings\klevesqu\Local Settings\Application Data\ApplicationHistory\MSIB2.tmp.2dbade2a.ini
d:\documents and settings\klevesqu\Local Settings\Application Data\ApplicationHistory\regasm.exe.11f1da13.ini
d:\documents and settings\klevesqu\Local Settings\Application Data\ApplicationHistory\Viewer.exe.ff6dcb2b.ini.inuse
d:\documents and settings\klevesqu\My Documents\~WRL0232.tmp
d:\documents and settings\klevesqu\My Documents\~WRL2867.tmp
d:\documents and settings\klevesqu\WINDOWS
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_e95bba5b
.
.
((((((((((((((((((((((((( Files Created from 2011-08-06 to 2011-09-06 )))))))))))))))))))))))))))))))
.
.
2011-08-31 12:56 . 2011-08-31 12:56 -------- d-----w- d:\documents and settings\\a_aczajk
2011-08-26 18:14 . 2011-08-26 18:27 -------- d-----w- c:\windows\system32\XPSViewer
2011-08-26 18:14 . 2011-08-26 18:14 -------- d-----w- c:\program files\MSBuild
2011-08-26 18:14 . 2011-08-26 18:14 -------- d-----w- c:\program files\Reference Assemblies
2011-08-26 18:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-08-26 18:13 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-08-26 18:13 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-08-26 18:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-08-26 18:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-08-26 18:13 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-08-26 18:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-08-26 18:13 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-08-26 18:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-08-18 19:48 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 19:40 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-08 18:26 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-08-08 18:26 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-06 18:13 . 2009-05-01 12:53 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2011-09-02 16:46 . 2008-07-14 14:59 25600 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2011-09-02 16:45 . 2008-07-14 15:35 121392 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-02 16:45 . 2011-03-28 16:30 69192 ----a-w- c:\windows\system32\mfevtps.exe
2011-09-02 16:45 . 2009-02-09 21:01 544256 ----a-w- c:\windows\system32\hasplms.exe
2011-09-02 16:45 . 2007-05-29 23:52 49152 ----a-w- c:\windows\system32\CCSRVC.exe
2011-09-02 16:44 . 2008-07-14 14:59 1925120 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2011-09-01 18:47 . 2010-02-11 19:02 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-07-08 14:02 . 2007-06-25 22:57 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2007-06-26 12:58 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2007-06-25 22:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2007-06-25 22:56 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2007-06-25 22:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2007-06-25 22:56 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2007-06-25 22:56 389120 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2007-06-25 22:58 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-05 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-10-26 36864]
"PPScheduler"="c:\program files\ScanSoft\PaperPort\PPScheduler.exe" [2004-10-26 98304]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-03-04 72240]
"AClntUsr"="c:\altiris\AClient\AClntUsr.EXE" [2010-08-12 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-05-12 143360]
"eTMonitor"="c:\program files\Common Files\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe" [2008-08-05 221184]
"AlstomUSBginfo"="c:\progra~1\Bginfo\bginfo.exe" [2008-08-06 845864]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-23 124224]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2004-8-20 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"RecycleBinSize"= 5 (0x5)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK
backup=c:\windows\pss\HPZRCV01.LNKCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 9.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 9.lnk
backup=c:\windows\pss\SnagIt 9.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^klevesqu^Start Menu^Programs^Startup^RT-Updater.lnk]
path=d:\documents and settings\klevesqu\Start Menu\Programs\Startup\RT-Updater.lnk
backup=c:\windows\pss\RT-Updater.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-05-27 12:52 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-01-25 21:34 159744 -c----w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-10-09 23:17 2183168 ------w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 00:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-10-26 23:08 40960 -c----w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-27 14:23 282624 -c----w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 -c----r- c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 05:01 110592 -c----w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2008-03-04 00:10 55856 ------w- c:\program files\VMware\VMware Workstation\hqtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"TrapiServer"=2 (0x2)
"TapiSrv"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"Proficy Driver Runtime"=3 (0x3)
"ose"=3 (0x3)
"Multi-user Cleanup Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"LoggingService"=2 (0x2)
"LmHosts"=2 (0x2)
"iLicenseSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"FxControlRuntime"=2 (0x2)
"FIX"=3 (0x3)
"CCFLIC0"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Altiris\\Aclient\\AClntUsr.EXE"=
"c:\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-05-29 9216]
R2 EGDCfg;EGDCfg;c:\program files\GE Industrial Systems\EgdCfgServer\EgdCfgServer.exe [2007-01-09 36864]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2011-09-02 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-03-28 69192]
R2 Refresh Distributor;Refresh Distributor;c:\program files\Refresh IT Solutions\Refresh Distributor\RefreshDistributorAgent.exe [2010-12-20 644096]
R2 VDSPU100;VDSPU100;c:\windows\system32\drivers\Vdspu100.sys [2008-07-18 20512]
R3 eTSCFLT;eToken SmartCard Upper Class Filter Driver;c:\windows\system32\drivers\eTSCFLT.sys [2010-02-11 12456]
R3 ikbf5;GE Fanuc Keyboard Class Upper Filter Driver;c:\windows\system32\drivers\ikbf5.sys [2009-02-09 11688]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-02-15 18424]
S3 Intellution MBE Driver Helper;Intellution MBE Driver Helper;c:\progra~1\GEFANU~1\PR9E26~1\MBEHelperService.exe [2009-02-09 99624]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-28 66536]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2005-02-15 17828]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2009-02-16 58880]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2005-02-15 26964]
S4 FxControlRuntime;FxControl Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe [2008-04-01 634880]
S4 LoggingService;Proficy Log Server;c:\program files\GE Fanuc\Proficy Event Logger\LoggingService.exe [2008-04-01 143360]
S4 Proficy Driver Runtime;Proficy Driver Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxView\Runtime\ProficyDrivers\WIN32\GefPdfOpc.exe [2006-11-24 192512]
S4 TrapiServer;Trapi File Server;c:\program files\GE Fanuc\Proficy Machine Edition\Common\Components\NT\TrapiServer.exe [2008-04-08 102400]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://iww.alstom.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
LSP: mswsock.dll
Trusted Zone: alstom.com\supplier.power
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM_ActiveSetup-{95120000-00AF-0409-0000-0000000FF1CE} - msiexec -fu {95120000-00AF-0409-0000-0000000FF1CE}
HKLM_ActiveSetup-{B740F832-DFF6-4BC1-92A6-6AFAC92A4B56} - msiexec
HKLM_ActiveSetup-{D3973444-9417-46D1-A555-6CF9B8062839} - msiexec
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-06 16:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\1538939881:379864484.exe 816 bytes executable
.
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\1538939881:379864484.exe
c:\windows\System32\SCardSvr.exe
c:\program files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\system32\ccsrvc.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\windows\system32\hasplms.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\progra~1\Altiris\CARBON~1\client.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\Logi_MwX.Exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2011-09-06 16:41:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-06 20:41
.
Pre-Run: 23,858,335,744 bytes free
Post-Run: 23,973,142,528 bytes free
.
- - End Of File - - 70B60ECFD6B960CEB539E924A72DA698

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 10 September 2011 - 05:58 PM

Hi

Please do the following:

Not:

Please allow ComboFix to update if it requests to do so:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DirLook::
d:\documents and settings\\a_aczajk

RootKit::
c:\windows\1538939881
c:\windows\1538939881:379864484.exe 

ADS::
c:\windows\1538939881

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 shortysclimbin

shortysclimbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 11 September 2011 - 03:41 PM

ComboFix 11-09-11.05 - klevesqu 2011-09-05 15:48:06.4.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1721 [GMT -4:00]
Running from: d:\documents and settings\klevesqu\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\klevesqu\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\1538939881
c:\windows\Client.ini
d:\documents and settings\Default User\ntuser.dat.LOG
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-09-09 14:54 . 2011-09-09 14:54 -------- d-----w- d:\documents and settings\klevesqu\Local Settings\Application Data\WMTools Downloaded Files
2011-09-09 14:48 . 2008-04-14 04:16 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2011-09-09 14:48 . 2008-04-14 04:16 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2011-09-09 14:48 . 2008-04-14 04:16 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2011-09-09 14:48 . 2008-04-14 04:16 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2011-09-09 14:48 . 2008-04-14 04:16 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2011-09-09 14:48 . 2008-04-14 04:16 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2011-09-07 20:43 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-07 20:43 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-07 20:14 . 2011-09-07 20:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-07 17:50 . 2011-09-07 20:12 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-09-06 20:32 . 2008-04-14 04:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-09-06 20:32 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-06 20:15 . 2011-09-06 20:15 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2011-09-02 16:02 . 2011-09-02 16:02 43408 --sha-w- c:\windows\system32\c_58134.nl_
2011-09-01 17:55 . 2011-09-01 17:55 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-09-01 13:06 . 2011-09-01 13:06 4194304 ----a-w- c:\windows\system32\vovkmaeu.dll
2011-08-26 18:14 . 2011-08-26 18:27 -------- d-----w- c:\windows\system32\XPSViewer
2011-08-26 18:14 . 2011-08-26 18:14 -------- d-----w- c:\program files\MSBuild
2011-08-26 18:14 . 2011-08-26 18:14 -------- d-----w- c:\program files\Reference Assemblies
2011-08-26 18:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-08-26 18:13 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-08-26 18:13 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-08-26 18:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-08-26 18:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-08-26 18:13 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-08-26 18:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-08-26 18:13 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-08-26 18:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-08-18 19:48 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 19:40 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-08 18:26 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-08-08 18:26 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-07 20:15 . 2004-08-03 23:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-06 18:13 . 2009-05-01 12:53 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2011-09-02 16:46 . 2008-07-14 14:59 25600 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2011-09-02 16:45 . 2008-07-14 15:35 121392 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-02 16:45 . 2011-03-28 16:30 69192 ----a-w- c:\windows\system32\mfevtps.exe
2011-09-02 16:45 . 2009-02-09 21:01 544256 ----a-w- c:\windows\system32\hasplms.exe
2011-09-02 16:45 . 2007-05-29 23:52 49152 ----a-w- c:\windows\system32\CCSRVC.exe
2011-09-02 16:44 . 2008-07-14 14:59 1925120 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2011-09-01 18:47 . 2010-02-11 19:02 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-07-08 14:02 . 2007-06-25 22:57 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2007-06-26 12:58 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2007-06-25 22:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2007-06-25 22:56 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2007-06-25 22:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2007-06-25 22:56 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2007-06-25 22:56 389120 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2007-06-25 22:58 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of d:\documents and settings\\a_aczajk ----
.
2011-08-31 12:56 . 2011-08-31 12:56 62 --sha-w- d:\documents and settings\\a_aczajk\Local Settings\desktop.ini
2011-08-31 12:56 . 2011-08-31 12:57 178 --sha-w- d:\documents and settings\\a_aczajk\ntuser.ini
2011-08-31 12:56 . 2011-08-31 12:57 262144 ---ha-w- d:\documents and settings\\a_aczajk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2011-08-31 12:56 . 2011-08-31 12:56 1024 ---ha-w- d:\documents and settings\\a_aczajk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2011-08-31 12:56 . 2007-06-28 17:36 496 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\AdobeCMapFnt07.lst
2011-08-31 12:56 . 2007-06-28 17:36 23528 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\AdobeSysFnt07.lst
2011-08-31 12:56 . 2007-06-28 17:37 103 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\Collab\RSS
2011-08-31 12:56 . 2007-06-28 17:37 10 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
2011-08-31 12:56 . 2007-06-28 17:36 1252 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\JSADM.exv
2011-08-31 12:56 . 2007-06-28 17:36 41737 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\UserCache.bin
2011-08-31 12:56 . 2007-06-28 17:37 1294 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
2011-08-31 12:56 . 2007-06-28 17:37 195 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
2011-08-31 12:56 . 2007-06-28 17:52 1553 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Apple Computer\QuickTime\QTPlayerSession.xml
2011-08-31 12:56 . 2007-06-26 08:54 62 --sha-w- d:\documents and settings\\a_aczajk\Application Data\desktop.ini
2011-08-31 12:56 . 2007-06-28 17:35 2688 ----a-w- d:\documents and settings\\a_aczajk\Application Data\ICAClient\APPSRV.INI
2011-08-31 12:56 . 2005-10-21 21:09 428 ----a-w- d:\documents and settings\\a_aczajk\Application Data\ICAClient\pn.ini
2011-08-31 12:56 . 2007-06-28 17:35 618 ----a-w- d:\documents and settings\\a_aczajk\Application Data\ICAClient\WFCLIENT.INI
2011-08-31 12:56 . 2007-06-26 13:02 439 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\brndlog.bak
2011-08-31 12:56 . 2007-06-26 13:02 6776 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\brndlog.txt
2011-08-31 12:56 . 2007-06-28 17:13 119 --sha-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
2011-08-31 12:56 . 2007-06-28 17:13 659 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
2011-08-31 12:56 . 2007-06-27 13:43 566 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\Lotus Notes.lnk
2011-08-31 12:56 . 2007-06-26 19:20 2030 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Excel.lnk
2011-08-31 12:56 . 2007-06-26 19:20 2002 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft PowerPoint.lnk
2011-08-31 12:56 . 2007-06-28 17:31 2355 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
2011-08-31 12:56 . 2007-06-28 17:13 79 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
2011-08-31 12:56 . 2008-07-14 15:36 633 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Internet Explorer\Quick Launch\VMware Workstation.lnk
2011-08-31 12:56 . 2007-06-28 17:31 1288 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Office\Access.pip
2011-08-31 12:56 . 2007-06-28 17:32 36160 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Office\MSO1033.acl
2011-08-31 12:56 . 2007-06-28 17:31 445 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Office\Recent\db1.mdb.LNK
2011-08-31 12:56 . 2007-06-28 17:32 767 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Office\Recent\Templates.LNK
2011-08-31 12:56 . 2007-06-28 17:32 1428 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Office\Word.pip
2011-08-31 12:56 . 2005-09-02 14:44 308736 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\ALSTOM.pot
2011-08-31 12:56 . 2007-02-27 19:21 183296 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\CorporateLegal_35mm.pot
2011-08-31 12:56 . 2007-02-27 19:22 180224 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\CorporateLegal_Land.pot
2011-08-31 12:56 . 2007-02-27 19:23 276992 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\CorporateLegal_Port.pot
2011-08-31 12:56 . 2007-02-27 18:46 168960 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Corporate_35mm.pot
2011-08-31 12:56 . 2007-02-27 18:53 171520 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Corporate_Land.pot
2011-08-31 12:56 . 2007-02-27 18:54 268288 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Corporate_Port.pot
2011-08-31 12:56 . 2007-02-28 12:47 51712 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Facsimile_US.dot
2011-08-31 12:56 . 2007-02-28 12:50 31744 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\LetterheadPrePrinted_US.dot
2011-08-31 12:56 . 2007-02-28 12:49 46080 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Letterhead_US.dot
2011-08-31 12:56 . 2007-02-28 12:58 45056 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\MeetingReportColour_US.dot
2011-08-31 12:56 . 2007-02-28 12:52 50176 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\MeetingReport_US.dot
2011-08-31 12:56 . 2007-02-28 13:00 33792 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\MemoColour_US.dot
2011-08-31 12:56 . 2007-02-28 12:59 49152 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Memo_US.dot
2011-08-31 12:56 . 2007-02-27 20:07 199168 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerLegal_35mm.pot
2011-08-31 12:56 . 2007-02-27 20:08 199168 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerLegal_Land.pot
2011-08-31 12:56 . 2007-02-27 20:09 295424 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerLegal_Port.pot
2011-08-31 12:56 . 2007-02-27 20:09 204288 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerServiceLegal_35mm.pot
2011-08-31 12:56 . 2007-02-27 20:10 204800 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerServiceLegal_Land.pot
2011-08-31 12:56 . 2007-02-27 20:11 300032 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerServiceLegal_Port.pot
2011-08-31 12:56 . 2007-02-28 12:35 185856 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerSystemsLegal_35mm.pot
2011-08-31 12:56 . 2007-02-28 12:36 203264 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerSystemsLegal_Land.pot
2011-08-31 12:56 . 2007-02-28 12:37 282624 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerSystemsLegal_Port.pot
2011-08-31 12:56 . 2007-02-27 20:12 185856 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerSystems_35mm.pot
2011-08-31 12:56 . 2007-02-28 12:34 185856 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerSystems_Land.pot
2011-08-31 12:56 . 2007-02-27 20:14 282624 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\PowerSystems_Port.pot
2011-08-31 12:56 . 2007-01-18 22:45 222720 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Power_35mm.pot
2011-08-31 12:56 . 2007-02-27 20:04 181760 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Power_Land.pot
2011-08-31 12:56 . 2007-02-27 20:05 278528 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Power_Port.pot
2011-08-31 12:56 . 2007-02-28 12:42 201216 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\TransportLegal_35mm.pot
2011-08-31 12:56 . 2007-02-28 12:43 201216 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\TransportLegal_Land.pot
2011-08-31 12:56 . 2007-02-28 12:44 393728 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\TransportLegal_Port.pot
2011-08-31 12:56 . 2007-02-28 12:37 183808 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Transport_35mm.pot
2011-08-31 12:56 . 2007-02-28 12:40 183808 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Transport_Land.pot
2011-08-31 12:56 . 2007-02-28 12:42 280064 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Alstom\Transport_Port.pot
2011-08-31 12:56 . 2007-06-28 17:32 27648 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Microsoft\Templates\Normal.dot
2011-08-31 12:56 . 2007-06-28 17:49 642 ----a-w- d:\documents and settings\\a_aczajk\Application Data\Sun\Java\Deployment\deployment.properties
2011-08-31 12:56 . 2011-08-30 17:10 16384 --sha-w- d:\documents and settings\\a_aczajk\Cookies\index.dat
2011-08-31 12:56 . 2007-06-28 17:13 122 --sha-w- d:\documents and settings\\a_aczajk\Favorites\Desktop.ini
2011-08-31 12:56 . 2007-06-28 17:13 169 ----a-w- d:\documents and settings\\a_aczajk\Favorites\Links\Windows Marketplace.url
2011-08-31 12:56 . 2010-02-11 21:12 145 --sha-w- d:\documents and settings\\a_aczajk\Local Settings\History\desktop.ini
2011-08-31 12:56 . 2010-02-11 21:12 145 --sha-w- d:\documents and settings\\a_aczajk\Local Settings\History\History.IE5\desktop.ini
2011-08-31 12:56 . 2011-08-30 17:10 16384 --sha-w- d:\documents and settings\\a_aczajk\Local Settings\History\History.IE5\index.dat
2011-08-31 12:56 . 2007-06-28 17:13 56 ----a-w- d:\documents and settings\\a_aczajk\My Documents\Bluetooth\sample.vcf
2011-08-31 12:56 . 2007-06-28 18:04 63 --sha-w- d:\documents and settings\\a_aczajk\My Documents\desktop.ini
2011-08-31 12:56 . 2007-06-28 18:04 168 --sha-w- d:\documents and settings\\a_aczajk\My Documents\My Music\Desktop.ini
2011-08-31 12:56 . 2007-06-28 18:04 170 --sha-w- d:\documents and settings\\a_aczajk\My Documents\My Pictures\Desktop.ini
2011-08-31 12:56 . 2007-06-28 17:13 861 ----a-w- d:\documents and settings\\a_aczajk\My Documents\My Music\Sample Music.lnk
2011-08-31 12:56 . 2007-06-28 17:13 891 ----a-w- d:\documents and settings\\a_aczajk\My Documents\My Pictures\Sample Pictures.lnk
2011-08-31 12:56 . 2007-06-28 17:53 150 --sha-w- d:\documents and settings\\a_aczajk\Recent\Desktop.ini
2011-08-31 12:56 . 2007-06-26 13:00 0 ----a-w- d:\documents and settings\\a_aczajk\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2011-08-31 12:56 . 2007-06-26 13:00 0 ----a-w- d:\documents and settings\\a_aczajk\SendTo\Desktop (create shortcut).DeskLink
2011-08-31 12:56 . 2007-06-26 13:00 181 --sha-w- d:\documents and settings\\a_aczajk\SendTo\desktop.ini
2011-08-31 12:56 . 2007-06-26 13:00 0 ----a-w- d:\documents and settings\\a_aczajk\SendTo\Mail Recipient.MAPIMail
2011-08-31 12:56 . 2007-06-28 17:13 0 ----a-w- d:\documents and settings\\a_aczajk\SendTo\My Documents.mydocs
2011-08-31 12:56 . 2007-06-26 08:54 62 --sha-w- d:\documents and settings\\a_aczajk\Start Menu\desktop.ini
2011-08-31 12:56 . 2007-06-26 13:02 348 --sha-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2011-08-31 12:56 . 2007-06-26 13:02 1437 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2011-08-31 12:56 . 2007-06-26 13:02 1442 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2011-08-31 12:56 . 2007-06-26 13:02 1421 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2011-08-31 12:56 . 2007-06-26 13:02 1451 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2011-08-31 12:56 . 2007-06-28 17:13 674 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Address Book.lnk
2011-08-31 12:56 . 2007-06-26 13:02 1481 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Command Prompt.lnk
2011-08-31 12:56 . 2007-06-28 17:13 542 --sha-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\desktop.ini
2011-08-31 12:56 . 2007-06-26 13:02 84 --sha-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2011-08-31 12:56 . 2007-06-26 13:02 1437 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Notepad.lnk
2011-08-31 12:56 . 2007-06-26 13:02 386 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2011-08-31 12:56 . 2007-06-26 13:02 1437 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Synchronize.lnk
2011-08-31 12:56 . 2007-06-26 13:02 1441 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2011-08-31 12:56 . 2007-06-28 17:13 192 --sha-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\desktop.ini
2011-08-31 12:56 . 2007-06-28 17:13 659 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Internet Explorer.lnk
2011-08-31 12:56 . 2007-06-26 13:00 1421 ----a-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Accessories\Windows Explorer.lnk
2011-08-31 12:56 . 2007-06-26 13:02 84 --sha-w- d:\documents and settings\\a_aczajk\Start Menu\Programs\Startup\desktop.ini
2011-08-31 12:56 . 2004-08-04 12:00 4570 ----a-w- d:\documents and settings\\a_aczajk\Templates\amipro.sam
2011-08-31 12:56 . 2004-08-04 12:00 5632 ----a-w- d:\documents and settings\\a_aczajk\Templates\excel.xls
2011-08-31 12:56 . 2004-08-04 12:00 1518 ----a-w- d:\documents and settings\\a_aczajk\Templates\excel4.xls
2011-08-31 12:56 . 2004-08-04 12:00 2448 ----a-w- d:\documents and settings\\a_aczajk\Templates\lotus.wk4
2011-08-31 12:56 . 2004-08-04 12:00 12288 ----a-w- d:\documents and settings\\a_aczajk\Templates\powerpnt.ppt
2011-08-31 12:56 . 2004-08-04 12:00 461 ----a-w- d:\documents and settings\\a_aczajk\Templates\presenta.shw
2011-08-31 12:56 . 2004-08-04 12:00 4017 ----a-w- d:\documents and settings\\a_aczajk\Templates\quattro.wb2
2011-08-31 12:56 . 2004-08-04 12:00 58 ----a-w- d:\documents and settings\\a_aczajk\Templates\sndrec.wav
2011-08-31 12:56 . 2004-08-04 12:00 4608 ----a-w- d:\documents and settings\\a_aczajk\Templates\winword.doc
2011-08-31 12:56 . 2004-08-04 12:00 1769 ----a-w- d:\documents and settings\\a_aczajk\Templates\winword2.doc
2011-08-31 12:56 . 2004-08-04 12:00 30 ----a-w- d:\documents and settings\\a_aczajk\Templates\wordpfct.wpd
2011-08-31 12:56 . 2004-08-04 12:00 57 ----a-w- d:\documents and settings\\a_aczajk\Templates\wordpfct.wpg
2011-08-31 12:56 . 2011-09-05 20:10 1024 ---ha-w- d:\documents and settings\\a_aczajk\ntuser.dat.LOG
2011-08-31 12:56 . 2011-08-31 12:57 3670016 ---ha-w- d:\documents and settings\\a_aczajk\ntuser.dat
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-06_20.35.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-05 19:55 . 2011-09-05 19:55 16384 c:\windows\temp\Perflib_Perfdata_898.dat
- 2007-06-25 22:57 . 2011-09-06 20:29 73120 c:\windows\system32\perfc009.dat
+ 2007-06-25 22:57 . 2011-09-05 19:58 73120 c:\windows\system32\perfc009.dat
+ 2011-09-08 12:39 . 2011-09-11 16:39 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-26 13:04 . 2011-08-05 16:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-26 13:04 . 2011-09-11 16:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-26 13:04 . 2011-08-05 16:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-08 12:39 . 2011-09-11 16:39 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-06-26 13:04 . 2011-08-05 16:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-06-25 22:57 . 2011-09-06 20:29 444824 c:\windows\system32\perfh009.dat
+ 2007-06-25 22:57 . 2011-09-05 19:58 444824 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-05 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-10-26 36864]
"PPScheduler"="c:\program files\ScanSoft\PaperPort\PPScheduler.exe" [2004-10-26 98304]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-03-04 72240]
"AClntUsr"="c:\altiris\AClient\AClntUsr.EXE" [2010-08-12 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-05-12 143360]
"eTMonitor"="c:\program files\Common Files\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe" [2008-08-05 221184]
"AlstomUSBginfo"="c:\progra~1\Bginfo\bginfo.exe" [2008-08-06 845864]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-23 124224]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2004-8-20 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"RecycleBinSize"= 5 (0x5)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK
backup=c:\windows\pss\HPZRCV01.LNKCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 9.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 9.lnk
backup=c:\windows\pss\SnagIt 9.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^klevesqu^Start Menu^Programs^Startup^RT-Updater.lnk]
path=d:\documents and settings\klevesqu\Start Menu\Programs\Startup\RT-Updater.lnk
backup=c:\windows\pss\RT-Updater.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-05-27 12:52 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-01-25 21:34 159744 -c----w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-10-09 23:17 2183168 ------w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 00:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-10-26 23:08 40960 -c----w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-27 14:23 282624 -c----w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 -c----r- c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 05:01 110592 -c----w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2008-03-04 00:10 55856 ------w- c:\program files\VMware\VMware Workstation\hqtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"TrapiServer"=2 (0x2)
"TapiSrv"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"Proficy Driver Runtime"=3 (0x3)
"ose"=3 (0x3)
"Multi-user Cleanup Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"LoggingService"=2 (0x2)
"LmHosts"=2 (0x2)
"iLicenseSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"FxControlRuntime"=2 (0x2)
"FIX"=3 (0x3)
"CCFLIC0"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Altiris\\Aclient\\AClntUsr.EXE"=
"c:\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-05-29 9216]
R2 EGDCfg;EGDCfg;c:\program files\GE Industrial Systems\EgdCfgServer\EgdCfgServer.exe [2007-01-09 36864]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-07 366640]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2011-09-02 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-03-28 69192]
R2 Refresh Distributor;Refresh Distributor;c:\program files\Refresh IT Solutions\Refresh Distributor\RefreshDistributorAgent.exe [2010-12-20 644096]
R2 VDSPU100;VDSPU100;c:\windows\system32\drivers\Vdspu100.sys [2008-07-18 20512]
R3 eTSCFLT;eToken SmartCard Upper Class Filter Driver;c:\windows\system32\drivers\eTSCFLT.sys [2010-02-11 12456]
R3 ikbf5;GE Fanuc Keyboard Class Upper Filter Driver;c:\windows\system32\drivers\ikbf5.sys [2009-02-09 11688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-07 22712]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-02-15 18424]
S3 Intellution MBE Driver Helper;Intellution MBE Driver Helper;c:\progra~1\GEFANU~1\PR9E26~1\MBEHelperService.exe [2009-02-09 99624]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-28 66536]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2005-02-15 17828]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2009-02-16 58880]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2005-02-15 26964]
S4 FxControlRuntime;FxControl Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe [2008-04-01 634880]
S4 LoggingService;Proficy Log Server;c:\program files\GE Fanuc\Proficy Event Logger\LoggingService.exe [2008-04-01 143360]
S4 Proficy Driver Runtime;Proficy Driver Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxView\Runtime\ProficyDrivers\WIN32\GefPdfOpc.exe [2006-11-24 192512]
S4 TrapiServer;Trapi File Server;c:\program files\GE Fanuc\Proficy Machine Edition\Common\Components\NT\TrapiServer.exe [2008-04-08 102400]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://iww.alstom.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: alstom.com\supplier.power
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
SafeBoot-51352876.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-05 16:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\BCMLogon.dll
c:\windows\system32\eTOKCSP.dll
c:\windows\system32\eTCAPI.dll
c:\windows\system32\eToken.dll
.
- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\system32\ccsrvc.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\windows\system32\hasplms.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\McAfee\Common Framework\McScript_InUse.exe
c:\progra~1\Altiris\CARBON~1\client.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\Logi_MwX.Exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
.
**************************************************************************
.
Completion time: 2011-09-05 16:37:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-05 20:36
ComboFix2.txt 2011-09-07 17:57
ComboFix3.txt 2011-09-06 20:41
.
Pre-Run: 25,869,414,400 bytes free
Post-Run: 23,665,942,528 bytes free
.
- - End Of File - - 2BBA7EABAB30683461E9B6EE340AC460

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 11 September 2011 - 05:40 PM

Hi

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic417780.html/page__pid__2404520#entry2404520
Collect::
c:\windows\system32\c_58134.nl_
c:\windows\system32\vovkmaeu.dll

Folder::
d:\documents and settings\\a_aczajk

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 shortysclimbin

shortysclimbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 11 September 2011 - 11:13 PM

Here is the combofix log... Running rest tomorrow am...
_____________________

ComboFix 11-09-11.06 - klevesqu 2011-09-11 23:56:20.5.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1728 [GMT -4:00]
Running from: d:\documents and settings\klevesqu\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\klevesqu\Desktop\CFscript.txt
.
file zipped: c:\windows\system32\c_58134.nl_
file zipped: c:\windows\system32\vovkmaeu.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Client.ini
c:\windows\system32\c_58134.nl_
c:\windows\system32\vovkmaeu.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-12 to 2011-09-12 )))))))))))))))))))))))))))))))
.
.
2011-09-09 14:54 . 2011-09-09 14:54 -------- d-----w- d:\documents and settings\klevesqu\Local Settings\Application Data\WMTools Downloaded Files
2011-09-09 14:48 . 2008-04-14 04:16 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2011-09-09 14:48 . 2008-04-14 04:16 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2011-09-09 14:48 . 2008-04-14 04:16 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2011-09-09 14:48 . 2008-04-14 04:16 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2011-09-09 14:48 . 2008-04-14 04:16 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2011-09-09 14:48 . 2008-04-14 04:16 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2011-09-07 20:43 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-07 20:43 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-07 20:14 . 2011-09-07 20:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-07 17:50 . 2011-09-07 20:12 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-09-06 20:32 . 2008-04-14 04:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-09-06 20:32 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-06 20:15 . 2011-09-06 20:15 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2011-09-01 17:55 . 2011-09-01 17:55 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-08-26 18:14 . 2011-08-26 18:27 -------- d-----w- c:\windows\system32\XPSViewer
2011-08-26 18:14 . 2011-08-26 18:14 -------- d-----w- c:\program files\MSBuild
2011-08-26 18:14 . 2011-08-26 18:14 -------- d-----w- c:\program files\Reference Assemblies
2011-08-26 18:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-08-26 18:13 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-08-26 18:13 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-08-26 18:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-08-26 18:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-08-26 18:13 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-08-26 18:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-08-26 18:13 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-08-26 18:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-08-18 19:48 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 19:40 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-07 20:15 . 2004-08-03 23:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-06 18:13 . 2009-05-01 12:53 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2011-09-02 16:46 . 2008-07-14 14:59 25600 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2011-09-02 16:45 . 2008-07-14 15:35 121392 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-02 16:45 . 2011-03-28 16:30 69192 ----a-w- c:\windows\system32\mfevtps.exe
2011-09-02 16:45 . 2009-02-09 21:01 544256 ----a-w- c:\windows\system32\hasplms.exe
2011-09-02 16:45 . 2007-05-29 23:52 49152 ----a-w- c:\windows\system32\CCSRVC.exe
2011-09-02 16:44 . 2008-07-14 14:59 1925120 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2011-09-01 18:47 . 2010-02-11 19:02 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-07-08 14:02 . 2007-06-25 22:57 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2007-06-26 12:58 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2007-06-25 22:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2007-06-25 22:56 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2007-06-25 22:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2007-06-25 22:56 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2007-06-25 22:56 389120 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2007-06-25 22:58 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-06_20.35.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-12 04:03 . 2011-09-12 04:03 16384 c:\windows\temp\Perflib_Perfdata_564.dat
+ 2007-06-25 22:57 . 2011-09-12 03:54 72698 c:\windows\system32\perfc009.dat
+ 2011-09-08 12:39 . 2011-09-11 16:39 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-26 13:04 . 2011-08-05 16:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-26 13:04 . 2011-09-11 16:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-26 13:04 . 2011-08-05 16:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-06-25 22:57 . 2011-09-12 03:54 444236 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-05 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-10-26 36864]
"PPScheduler"="c:\program files\ScanSoft\PaperPort\PPScheduler.exe" [2004-10-26 98304]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-03-04 72240]
"AClntUsr"="c:\altiris\AClient\AClntUsr.EXE" [2010-08-12 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-05-12 143360]
"eTMonitor"="c:\program files\Common Files\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe" [2008-08-05 221184]
"AlstomUSBginfo"="c:\progra~1\Bginfo\bginfo.exe" [2008-08-06 845864]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-23 124224]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2004-8-20 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"RecycleBinSize"= 5 (0x5)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK
backup=c:\windows\pss\HPZRCV01.LNKCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 9.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 9.lnk
backup=c:\windows\pss\SnagIt 9.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^klevesqu^Start Menu^Programs^Startup^RT-Updater.lnk]
path=d:\documents and settings\klevesqu\Start Menu\Programs\Startup\RT-Updater.lnk
backup=c:\windows\pss\RT-Updater.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-05-27 12:52 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-01-25 21:34 159744 -c----w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-10-09 23:17 2183168 ------w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 00:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-10-26 23:08 40960 -c----w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-27 14:23 282624 -c----w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 -c----r- c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ------w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 05:01 110592 -c----w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2008-03-04 00:10 55856 ------w- c:\program files\VMware\VMware Workstation\hqtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"TrapiServer"=2 (0x2)
"TapiSrv"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"Proficy Driver Runtime"=3 (0x3)
"ose"=3 (0x3)
"Multi-user Cleanup Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"LoggingService"=2 (0x2)
"LmHosts"=2 (0x2)
"iLicenseSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"FxControlRuntime"=2 (0x2)
"FIX"=3 (0x3)
"CCFLIC0"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Altiris\\Aclient\\AClntUsr.EXE"=
"c:\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-05-29 9216]
R2 EGDCfg;EGDCfg;c:\program files\GE Industrial Systems\EgdCfgServer\EgdCfgServer.exe [2007-01-09 36864]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-07 366640]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2011-09-02 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-03-28 69192]
R2 Refresh Distributor;Refresh Distributor;c:\program files\Refresh IT Solutions\Refresh Distributor\RefreshDistributorAgent.exe [2010-12-20 644096]
R2 VDSPU100;VDSPU100;c:\windows\system32\drivers\Vdspu100.sys [2008-07-18 20512]
R3 eTSCFLT;eToken SmartCard Upper Class Filter Driver;c:\windows\system32\drivers\eTSCFLT.sys [2010-02-11 12456]
R3 ikbf5;GE Fanuc Keyboard Class Upper Filter Driver;c:\windows\system32\drivers\ikbf5.sys [2009-02-09 11688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-07 22712]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-02-15 18424]
S3 Intellution MBE Driver Helper;Intellution MBE Driver Helper;c:\progra~1\GEFANU~1\PR9E26~1\MBEHelperService.exe [2009-02-09 99624]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-28 66536]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2005-02-15 17828]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2009-02-16 58880]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2005-02-15 26964]
S4 FxControlRuntime;FxControl Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe [2008-04-01 634880]
S4 LoggingService;Proficy Log Server;c:\program files\GE Fanuc\Proficy Event Logger\LoggingService.exe [2008-04-01 143360]
S4 Proficy Driver Runtime;Proficy Driver Runtime;c:\program files\GE Fanuc\Proficy Machine Edition\fxView\Runtime\ProficyDrivers\WIN32\GefPdfOpc.exe [2006-11-24 192512]
S4 TrapiServer;Trapi File Server;c:\program files\GE Fanuc\Proficy Machine Edition\Common\Components\NT\TrapiServer.exe [2008-04-08 102400]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://iww.alstom.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: alstom.com\supplier.power
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 00:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\BCMLogon.dll
c:\windows\system32\eTOKCSP.dll
c:\windows\system32\eTCAPI.dll
c:\windows\system32\eToken.dll
.
- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\system32\ccsrvc.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\hasplms.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\progra~1\Altiris\CARBON~1\client.exe
c:\windows\stsystra.exe
c:\windows\Logi_MwX.Exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
.
**************************************************************************
.
Completion time: 2011-09-12 00:09:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-12 04:09
ComboFix2.txt 2011-09-05 20:37
ComboFix3.txt 2011-09-07 17:57
ComboFix4.txt 2011-09-06 20:41
.
Pre-Run: 25,770,127,360 bytes free
Post-Run: 23,609,409,536 bytes free
.
- - End Of File - - ED3E988FADD58307BF8C71AABD07FBF8
Upload was successful

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 12 September 2011 - 08:07 PM

were you able to run the other scans?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 shortysclimbin

shortysclimbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 13 September 2011 - 07:54 AM

Ok MBAM freezes with a normal startup and will not complete its scan. In safe mode with networking it pulls up nothing. Macafee does now work and finds nothing.


ESET finishes and finds two files that are a part of WISE, a program used for international net connections and remote admin. The other is in quarentine.

C:\Qoobox\Quarantine\[4]-Submit_2011-09-11_23.56.17.zip Win32/Sirefef.CR trojan
C:\WINDOWS\Options\WISE231-CD-Distro.exe Win32/PrcView application
C:\WINDOWS\WISE231\WiSE_RDK_231.exe Win32/PrcView application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 13 September 2011 - 08:01 AM

OK,

Lete's see what the problem is with MBAM

Please run the following:


  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply



NEXT


  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 shortysclimbin

shortysclimbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 13 September 2011 - 10:43 AM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe: Access is denied.


..

...

...

...

.
Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE: Access is denied.


..


Failed to open \\?\c:\\Program Files\VMware\VMware Workstation\vmware-tray.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.No reparse points found.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 13 September 2011 - 11:26 AM

Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


c:\\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
c:\\Program Files\VMware\VMware Workstation\vmware-tray.exe



  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Did you have any luck uninstalling and reinstalling MBAM?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 shortysclimbin

shortysclimbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 13 September 2011 - 01:20 PM

Ok new install of MABM and it is using cpu at varied rates but the screen is blank... This is after cleaning the install with that uninstall tool and restarting twice.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 13 September 2011 - 10:33 PM

strange, as there weren't any references to it in the junction log

Please try uninstalling it with REVO uninstaller to get rid of all the registry entries, then install it again

Download and install the Revo Uninstaller
  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.


are there any other programs that are not working properly or is it just MBAM?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 shortysclimbin

shortysclimbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 14 September 2011 - 07:33 AM

Interesting... A full scan works fine and no other programs are having issues that I know of. I need to check a few more. Here is the log:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7710

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2011-09-13 16:10:25
mbam-log-2011-09-13 (16-10-25).txt

Scan type: Full scan (C:\|D:\|G:\|H:\|)
Objects scanned: 595146
Time elapsed: 41 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by shortysclimbin, 14 September 2011 - 07:34 AM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:57 AM

Posted 14 September 2011 - 07:57 AM

Yes, that is odd, you may be able to find an answer on the MalwareBytes Forum as I don't have one :)


Could you please post a fresh DDS Log and Attach.txt so I can make certain you are clean and up to date.


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 shortysclimbin

shortysclimbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 14 September 2011 - 09:22 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Run by klevesqu at 10:19:11 on 2011-09-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1127 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\GE Industrial Systems\EgdCfgServer\EgdCfgServer.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Refresh IT Solutions\Refresh Distributor\RefreshDistributorAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Common Files\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Autodesk\Acade 2008\acad.exe
D:\DOCUME~1\klevesqu\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Juniper Networks\Network Connect 5.4.0\dsNetworkConnect.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
svchost.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://iww.alstom.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [PPScheduler] "c:\program files\scansoft\paperport\PPScheduler.exe"
mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe
mRun: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [eTMonitor] c:\program files\common files\aladdin shared\etoken\pkiclient\x32\PKIMonitor.exe
mRun: [AlstomUSBginfo] c:\progra~1\bginfo\bginfo.exe c:\progra~1\bginfo\AlstomUSXPAtos.bgi /timer:0 /silent /nolicprompt
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: RecycleBinSize = 5 (0x5)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 300 (0x12c)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: alstom.com\supplier.power
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7DBFDD36-AECB-4ECC-A383-DEABF42B3362} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CFD67D4D-13B9-451A-8EFC-8A17134E3E33} : DhcpNameServer = 10.3.36.12 10.3.1.8
Notify: igfxcui - igfxdev.dll
Hosts: 159.245.34.72 sslamer.alstom.com
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-8 344712]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]
R2 EGDCfg;EGDCfg;c:\program files\ge industrial systems\egdcfgserver\EgdCfgServer.exe [2007-1-9 36864]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-13 366152]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2011-9-2 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-9-2 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-28 69192]
R2 Refresh Distributor;Refresh Distributor;c:\program files\refresh it solutions\refresh distributor\RefreshDistributorAgent.exe [2010-12-20 644096]
R2 VDSPU100;VDSPU100;c:\windows\system32\drivers\Vdspu100.sys [2008-7-18 20512]
R3 eTSCFLT;eToken SmartCard Upper Class Filter Driver;c:\windows\system32\drivers\eTSCFLT.sys [2010-2-11 12456]
R3 ikbf5;GE Fanuc Keyboard Class Upper Filter Driver;c:\windows\system32\drivers\ikbf5.sys [2009-2-9 11688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-13 22216]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-10-22 147984]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-2-15 18424]
S3 Intellution MBE Driver Helper;Intellution MBE Driver Helper;c:\progra~1\gefanu~1\pr9e26~1\MBEHelperService.exe [2009-2-9 99624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-8 91896]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-8 43192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-28 66536]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2005-2-15 17828]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2009-2-16 58880]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2005-2-15 26964]
S4 FxControlRuntime;FxControl Runtime;c:\program files\ge fanuc\proficy machine edition\fxcontrol\runtime\nt\FxControl.exe [2008-4-1 634880]
S4 LoggingService;Proficy Log Server;c:\program files\ge fanuc\proficy event logger\LoggingService.exe [2008-4-1 143360]
S4 Proficy Driver Runtime;Proficy Driver Runtime;c:\program files\ge fanuc\proficy machine edition\fxview\runtime\proficydrivers\win32\GefPdfOpc.exe [2006-11-24 192512]
S4 TrapiServer;Trapi File Server;c:\program files\ge fanuc\proficy machine edition\common\components\nt\TrapiServer.exe [2008-4-8 102400]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-09-14 14:04:13 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll.new
2011-09-13 16:45:43 -------- d-----w- d:\documents and settings\klevesqu\application data\Malwarebytes
2011-09-13 16:43:12 -------- d-----w- d:\documents and settings\all users\application data\Malwarebytes
2011-09-13 16:43:09 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-13 16:43:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-09 14:54:51 -------- d-----w- d:\documents and settings\klevesqu\local settings\application data\WMTools Downloaded Files
2011-09-09 14:48:08 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2011-09-09 14:48:08 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2011-09-09 14:48:04 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2011-09-09 14:48:04 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2011-09-09 14:48:00 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2011-09-09 14:48:00 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2011-09-07 20:14:22 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-07 17:50:19 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-09-06 20:32:09 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-09-06 20:32:09 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-06 20:18:16 256000 ----a-w- c:\windows\PEV.exe
2011-09-06 20:18:16 208896 ----a-w- c:\windows\MBR.exe
2011-09-06 20:15:41 -------- d-----w- d:\documents and settings\all users\application data\PC Tools
2011-08-26 18:14:42 -------- d-----w- c:\windows\system32\XPSViewer
2011-08-26 18:14:13 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-08-26 18:13:45 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-08-26 18:13:45 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-08-26 18:13:45 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-08-26 18:13:45 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-08-26 18:13:45 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-08-26 18:13:45 117760 ------w- c:\windows\system32\prntvpt.dll
2011-08-26 18:13:44 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-08-26 18:13:44 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-08-18 19:48:47 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 19:40:59 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-09-07 20:15:06 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-06 18:13:29 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2011-09-02 16:46:01 25600 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2011-09-02 16:45:58 121392 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-02 16:45:28 69192 ----a-w- c:\windows\system32\mfevtps.exe
2011-09-02 16:45:12 544256 ----a-w- c:\windows\system32\hasplms.exe
2011-09-02 16:45:00 49152 ----a-w- c:\windows\system32\CCSRVC.exe
2011-09-02 16:44:57 1925120 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2011-09-01 18:47:52 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47:20 389120 ------w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A909AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP1T0L0-e[0x8AA11D98]
kernel: MBR read successfully
_asm { JMP 0x1c; }
user != kernel MBR !!!
.
============= FINISH: 10:19:52.23 ===============


Attach.txt
_________________


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2007-06-26 09:04:30
System Uptime: 2011-09-13 11:54:05 (23 hours ago)
.
Motherboard: Dell Inc. | | 0KU184
Processor: Intel® Core™2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1994/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 40 GiB total, 21.511 GiB free.
D: is FIXED (NTFS) - 72 GiB total, 47.642 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3B0A25C1394FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter #3
PNP Device ID: V1394\NIC1394\3B0A25C1394FC000
Service: NIC1394
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
.
==== System Restore Points ===================
.
RP1: 2011-09-07 16:05:02 - System Checkpoint
RP2: 2011-09-08 02:19:46 - System Checkpoint
RP3: 2011-09-08 18:26:30 - System Checkpoint
RP4: 2011-09-09 05:25:22 - System Checkpoint
RP5: 2011-09-11 12:54:46 - System Checkpoint
RP6: 2011-09-05 16:10:32 - System Checkpoint
RP7: 2011-09-11 17:23:55 - System Checkpoint
RP8: 2011-09-12 10:28:55 - System Checkpoint
RP9: 2011-09-12 23:09:52 - System Checkpoint
RP10: 2011-09-13 09:21:21 - System Checkpoint
RP11: 2011-09-13 21:58:42 - System Checkpoint
RP12: 2011-09-14 08:59:46 - System Checkpoint
RP13: 2011-09-14 10:03:59 - Installed Windows KB954550-v5.
RP14: 2011-09-14 10:04:09 - Printer Driver Microsoft XPS Document Writer Installed
RP15: 2011-09-14 10:04:19 - Printer Driver Microsoft XPS Document Writer Installed
.
==== Installed Programs ======================
.
AC 110 AMPL Libraries 3.0/0
AC 110 AMPL Libraries 3.1/0
AC 110 AMPL Libraries 3.2/0
AC 110 AMPL Libraries 3.2/1
AC 160 AMPL Libraries 3.0/0
AC 160 AMPL Libraries 3.1/0
AC 160 AMPL Libraries 3.2/0
AC 160 AMPL Libraries 3.2/1
AC 410 AMPL Libraries 3.0/0
AC 410 AMPL Libraries 3.1/0
AC 410 AMPL Libraries 3.2/0
AC 410 AMPL Libraries 3.2/1
AC 450 AMPL Libraries 3.0/0
AC 450 AMPL Libraries 3.1/0
AC 450 AMPL Libraries 3.2/0
AC 450 AMPL Libraries 3.2/1
AC 55 AMPL Libraries 3.0/0
AC 55 AMPL Libraries 3.1/0
AC 55 AMPL Libraries 3.2/0
AC 55 AMPL Libraries 3.2/1
AC 70 AMPL Libraries 3.0/0
AC 70 AMPL Libraries 3.1/0
AC 70 AMPL Libraries 3.2/0
AC 70 AMPL Libraries 3.2/1
Adobe Acrobat 8 Professional
Adobe Acrobat 8.3.0 - CPSID_83708
Adobe Acrobat 8.3.0 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Advasoft AMPL Libraries 3.0/0
Advasoft AMPL Libraries 3.1/0
Advasoft AMPL Libraries 3.2/0
ADVASOFT AMPL Libraries 3.2/1
AiO_Scan_CDA
Aladdin eToken PKI Client 4.55 EN
Alstom-ln Screen Saver
Alstom Certification Authorities
Alstom PC SOE 0.1
ALSTOM SSL VPN Client Configuration
Altiris Carbon Copy Solution Agent
Altiris Carbon Copy Solution Agent 6.2
Altiris Software Delivery Solution Agent
Altiris Task Synchronization Agent
AMT - Production Release
Application Builder 2.5/1
Application Builder 4.0/0
Application Builder 4.1/0
AutoCAD Electrical 2008
AutoCAD Electrical 2008 Service Pack 1
Autodesk Design Review 2009
Bentley View (V 08.05.02.35) - 1
Bluetooth Stack for Windows by Toshiba
Broadcom Gigabit Integrated Controller
Bus Configuration Builder 2.5/0
Bus Configuration Builder 3.0/0
Bus Configuration Builder 3.0/1
Canon iP90
Canon iP90 series User Registration
Canon iP90 Setup Utility
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Touchpad
Dell Wireless WLAN Card
Depp2000 Viewer
Discovery
Egd Cfg Client Library - V03.01.00C
EGD Generic Editor
EGD Management Tool
EgdCfgServer
FCB Uploader
Function Chart Builder 4.5/2
Function Chart Builder 6.0/0
Function Chart Builder 6.1/0
Function Chart Builder 6.2/0
Function Chart Builder 6.2/1
GE9 I/O Server
GEF I/O Server
GNU Ghostscript 7.06 EN
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976098-v2)
HP Photosmart, Officejet and Deskjet 7.0.A
iFIX OPC Client
ImgBurn
Intel® Graphics Media Accelerator Driver
iPassConnect
Java 2 Runtime Environment, SE v1.4.2
Java DB 10.3.1.4
Java™ 6 Update 13
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 7
JD2 Tube Bend App.
Juniper Installer Service
Juniper Networks Host Checker
Juniper Networks Network Connect 5.4.0
Logitech MouseWare 9.79.1
Lotus Notes 6.5.5
M1 Licensing
M4 Common Licensing
Machine Edition Dependencies Upgrade
Malwarebytes' Anti-Malware version 1.51.2.1300
MB1 I/O Server
MBE I/O Server
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
ME-BDE
MetaFrame Presentation Server Client
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Access 2000 SR-1
Microsoft Access 2000 SR-1 Runtime
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Standard
Microsoft Office PowerPoint Viewer 2007 EN
Microsoft Office Visio Viewer 2003 (English)
Microsoft Project 2000
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Windows Installer 4.5 EN
MP200/1 AMPL Libraries 3.0/0
MP200/1 AMPL Libraries 3.1/0
MP200/1 AMPL Libraries 3.2/0
MP200/1 AMPL Libraries 3.2/1
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP3 Parser
MSXML 6 Service Pack 2 (KB954459)
My-T-Soft
On-line Builder 2.5/2
On-line Builder 3.0/0
On-line Builder 3.0/1
On-line Builder 3.0/2
OpenTrust SCM 3.5.2
OpenTrust SCM Client 4.1.1 EN
OpenTrust SCM Installation Kit 3.5 for Alstom
OZ776 SCR Driver V1.1.3.9
PowerDVD 5.7
Pro Client
Proficy Common Licensing
Proficy Discovery and Auto-Assembly Component
Proficy Event Logger
Proficy Historian
Proficy HMI SCADA - iFIX
Proficy HMI SCADA - iFIX 4.5
Proficy Machine Edition
ProficyDoc
QFolder
QuickTime
RealPlayer Enterprise
RedistSysFiles
Refresh Distributor 3.1
Refresh IT Solutions Refresh Distributor 3.1 EN
RUMBA
Scan
ScanSoft PaperPort 10.0
ScanSoft PDF Create 2.0
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Skype™ 3.8
Snagit 9.1.3
SoftVision Notes 2 pdf 3.1 EN
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Unlocker 1.9.1
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB973815)
VBA (2627.01)
VCDS Release 805.1
VCDS Release 908.0
Visual Basic for Applications ® Core
Visual Basic for Applications ® Core - English
VMware Workstation
VNC Free Edition 4.1.1
WebFldrs XP
WinConverter 2.1
Windows Driver Package - Ross-Tech USB Driver Package (05/21/2009 2.04.18)
Windows Driver Package - Ross-Tech USB Driver Package (11/16/2007 6.0.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinMerge 2.12.4
WinZip
ZipMail V8 for Lotus Notes
.
==== Event Viewer Messages From Past Week ========
.
2011-09-13 11:47:40, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
2011-09-12 14:36:18, error: Service Control Manager [7000] - The McAfee McShield service failed to start due to the following error: Access is denied.
2011-09-12 14:33:38, error: Dhcp [1002] - The IP address lease 10.3.57.32 for the Network Card with network address 00FFD8EA6F8A has been denied by the DHCP server 10.200.200.200 (The DHCP Server sent a DHCPNACK message).
2011-09-12 13:07:09, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASKUTIL
2011-09-12 13:07:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Altiris Client Service service to connect.
2011-09-12 13:07:09, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2011-09-12 13:07:09, error: Service Control Manager [7000] - The Altiris Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2011-09-12 13:05:34, error: NETLOGON [5719] - No Domain Controller is available for domain DOM3 due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
2011-09-12 13:04:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2011-09-12 11:48:05, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: CCDevice Fips intelppm mfehidk SASKUTIL Tosrfcom
2011-09-12 11:48:05, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
2011-09-12 11:48:05, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
2011-09-12 09:47:58, error: Dhcp [1002] - The IP address lease 10.3.57.32 for the Network Card with network address 00FF70956E8A has been denied by the DHCP server 10.200.200.200 (The DHCP Server sent a DHCPNACK message).
2011-09-11 23:56:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2011-09-11 17:05:56, error: Dhcp [1002] - The IP address lease 10.3.57.32 for the Network Card with network address 00FF38A66E8A has been denied by the DHCP server 10.200.200.200 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================


Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users