Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE redirects, graphics interference, network password requests and other odd behavior


  • This topic is locked This topic is locked
27 replies to this topic

#1 tb12

tb12

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 16 November 2011 - 03:45 PM

This is a post per the nstructions of orange blossom. This system is running Win XP Pro, sp3 with a 1 TB external backup (Western Digital) which constantly updates the back up files. Redirects have become common and recently some graphics interference as in web pages slowly scroll down filling bottom to top visibly. An update check on the graphics driver and software has not produce improvement. The redirects occur mainly on IE however, have been observed on FF as well. Also recently, before auto update of email on Outlook, a password request box opens and the email will n ot update without response. I suspect usage of the system by maintenance personnel as the system has on occassion been found in condition other than how it wsa left the evening before. Within the last 30 days email address was hijacked appaently at the server (yahoo/att)and spam advertising sent to all the cntents of my contact list. The network pass was changed as a protective measure adn the email issue has not resurfaced. Prior to contacting BP, a full system scan was run though McAfee and through MBAM and Sa. Other than expected minor tracking cookies, nothing out of the ordinary was found. The link to the posting on "am I infected" is as follows:
http://www.bleepingcomputer.com/forums/topic427102.html/page__st__15

DDS:.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Thomas Bueschel at 9:59:29 on 2011-11-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2354 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Thomas Bueschel\Local Settings\Application Data\Akamai\netsession_win.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://search.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://search.yahoo.com
mSearch Page = hxxp://search.yahoo.com
mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111109163237.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Akamai NetSession Interface] c:\documents and settings\thomas bueschel\local settings\application data\akamai\netsession_win.exe
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WD Anywhere Backup Premium] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\thomas bueschel\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234296436968
DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{D9CA3260-B766-4C22-A04C-BF25F554B706} : DhcpNameServer = 10.0.0.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\thomas bueschel\application data\mozilla\firefox\profiles\s11dry5n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\documents and settings\thomas bueschel\application data\mozilla\firefox\profiles\s11dry5n.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 464176]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2010-12-16 22312]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-9-21 89792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-13 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-25 14336]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-2-4 8960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-10 94880]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-21 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-21 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-21 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-9-21 166288]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2010-3-4 25824]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-9-21 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-9-21 150856]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-1-30 106496]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-9-21 57600]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-2-4 11264]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-10 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-10 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-9-21 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-9-21 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-8 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-8 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-9-21 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-21 87656]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-10 40552]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-2-4 16640]
.
=============== Created Last 30 ================
.
2011-11-10 17:24:22 -------- d--h--w- c:\windows\PIF
2011-11-04 15:27:27 -------- d-----w- c:\documents and settings\thomas bueschel\local settings\application data\Akamai
2011-11-01 21:07:25 -------- d-----w- c:\program files\AMD APP
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-17 17:55:20 -------- d-----w- c:\program files\iPod
2011-10-17 17:33:36 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-11-16 15:06:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 20:32:30 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-15 19:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 19:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 19:16:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 19:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-12 21:16:30 56832 ----a-w- c:\windows\system32\OpenVideo.dll
2011-10-12 21:15:40 13753856 ----a-w- c:\windows\system32\amdocl.dll
2011-10-12 21:14:50 43520 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-12 20:53:08 7206400 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-10-12 20:50:50 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-10-12 20:28:58 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-10-12 20:28:48 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-10-12 20:25:46 5828608 ----a-w- c:\windows\system32\aticaldd.dll
2011-10-12 20:15:46 18874368 ----a-w- c:\windows\system32\atioglxx.dll
2011-10-12 20:04:48 3953664 ----a-w- c:\windows\system32\ati3duag.dll
2011-10-12 20:01:12 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-10-12 20:00:06 304128 ----a-w- c:\windows\system32\ati2dvag.dll
2011-10-12 19:58:36 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-10-12 19:44:38 3278848 ----a-w- c:\windows\system32\ativvaxx.dll
2011-10-12 19:42:32 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-10-12 19:42:18 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-10-12 19:42:10 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-10-12 19:42:02 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-10-12 19:41:50 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-10-12 19:40:34 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-10-12 19:39:06 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-10-12 19:37:30 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-10-12 19:33:46 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-10-12 19:33:20 806912 ----a-w- c:\windows\system32\atikvmag.dll
2011-10-12 19:29:04 221184 ----a-w- c:\windows\system32\atiadlxx.dll
2011-10-12 19:28:46 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-10-12 19:23:52 65024 ----a-w- c:\windows\system32\atimpc32.dll
2011-10-12 19:23:52 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2011-10-12 19:22:14 884736 ----a-w- c:\windows\system32\ati2cqag.dll
2011-10-12 19:19:50 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-05 15:24:45 0 ---ha-w- c:\documents and settings\thomas bueschel\zgcicegpob.tmp
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:25:11 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 10:00:47.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:36 AM

Posted 20 November 2011 - 09:23 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 20 November 2011 - 02:01 PM

I am unable to download OTL from your link. I experienced this in the prior thread when asked to download securitycheck. Eventually I attempted the download with Firefox and it was successful. In the case of OTL, the same thing occurr4ed, upon clicking the link a new window opened in IE showing the address of sacore; however, the page would not load and the window would not close. I eventually tried ending through task manager; however, the entire IE was closed. I then tried opening through FF; however, FF first updated itself. Then upon opening, i received the save of run message. I clicked on save to desktop. Nothing happened and when I checked the download file in FF the OTL.exe showed in the file but with the message download failed. This was attempted several more times w9ithout success. Now I no longer get any options screen but a new windows opens with the message "problem loading page" I cannot get to the link and cannot download through either IE or FF.

#4 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 20 November 2011 - 02:08 PM

I also went to the OTL page on Geekstogo and attempted their alternative download sites without success.

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:36 AM

Posted 20 November 2011 - 07:51 PM

Hi,

in that case please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 21 November 2011 - 02:46 PM

Out of town until 11/23 will run combofix then. Sorry for the delay.

#7 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 23 November 2011 - 03:54 PM

combo log:
ComboFix 11-11-23.01 - Thomas Bueschel 11/23/2011 14:43:35.5.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2300 [GMT -6:00]
Running from: c:\documents and settings\Thomas Bueschel\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\extensions\{07c49d9b-ab97-4387-9493-0e6fe6299bb4}
c:\documents and settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\extensions\{07c49d9b-ab97-4387-9493-0e6fe6299bb4}\chrome.manifest
c:\documents and settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\extensions\{07c49d9b-ab97-4387-9493-0e6fe6299bb4}\chrome\xulcache.jar
c:\documents and settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\extensions\{07c49d9b-ab97-4387-9493-0e6fe6299bb4}\defaults\preferences\xulcache.js
c:\documents and settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\extensions\{07c49d9b-ab97-4387-9493-0e6fe6299bb4}\install.rdf
c:\documents and settings\Thomas Bueschel\WINDOWS
c:\documents and settings\Thomas Bueschel\zgcicegpob.tmp
c:\windows\CSC\d6
E:\install.exe
E:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))
.
.
2011-11-10 17:24 . 2011-11-10 17:24 -------- d--h--w- c:\windows\PIF
2011-11-04 15:27 . 2011-11-18 17:06 -------- d-----w- c:\documents and settings\Thomas Bueschel\Local Settings\Application Data\Akamai
2011-11-01 21:07 . 2011-11-01 21:07 -------- d-----w- c:\program files\AMD APP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 15:06 . 2011-05-19 14:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 20:32 . 2010-09-21 14:23 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-15 19:16 . 2010-09-21 14:23 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-09-21 14:23 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 19:16 . 2010-09-21 14:23 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 19:16 . 2010-09-21 14:23 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 19:16 . 2010-09-21 14:23 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-09-21 14:23 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-09-21 14:23 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2009-02-10 17:44 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2009-02-10 17:44 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2009-01-09 18:03 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-12 21:16 . 2011-10-12 21:16 56832 ----a-w- c:\windows\system32\OpenVideo.dll
2011-10-12 21:15 . 2011-10-12 21:15 13753856 ----a-w- c:\windows\system32\amdocl.dll
2011-10-12 21:14 . 2011-10-12 21:14 43520 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-12 20:53 . 2009-02-04 08:55 7206400 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-10-12 20:50 . 2009-02-04 08:55 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-10-12 20:28 . 2011-10-14 15:20 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-10-12 20:28 . 2011-10-14 15:20 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-10-12 20:25 . 2011-10-14 15:20 5828608 ----a-w- c:\windows\system32\aticaldd.dll
2011-10-12 20:15 . 2011-10-14 15:20 18874368 ----a-w- c:\windows\system32\atioglxx.dll
2011-10-12 20:04 . 2009-02-04 08:55 3953664 ----a-w- c:\windows\system32\ati3duag.dll
2011-10-12 20:01 . 2009-02-04 08:55 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-10-12 20:00 . 2009-02-04 08:55 304128 ----a-w- c:\windows\system32\ati2dvag.dll
2011-10-12 19:58 . 2011-10-14 15:20 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-10-12 19:44 . 2009-02-04 08:55 3278848 ----a-w- c:\windows\system32\ativvaxx.dll
2011-10-12 19:42 . 2009-02-04 08:55 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-10-12 19:42 . 2009-02-04 08:55 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-10-12 19:42 . 2009-02-04 08:55 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-10-12 19:42 . 2009-02-04 08:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-10-12 19:41 . 2009-02-04 08:55 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-10-12 19:40 . 2009-02-04 08:55 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-10-12 19:39 . 2009-02-04 08:55 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-10-12 19:37 . 2011-10-14 15:20 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-10-12 19:33 . 2009-02-04 08:55 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-10-12 19:33 . 2009-02-04 08:55 806912 ----a-w- c:\windows\system32\atikvmag.dll
2011-10-12 19:29 . 2009-02-04 08:55 221184 ----a-w- c:\windows\system32\atiadlxx.dll
2011-10-12 19:28 . 2009-02-04 08:55 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-10-12 19:23 . 2011-10-14 15:20 65024 ----a-w- c:\windows\system32\atimpc32.dll
2011-10-12 19:23 . 2009-02-04 08:55 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2011-10-12 19:22 . 2009-02-04 08:55 884736 ----a-w- c:\windows\system32\ati2cqag.dll
2011-10-12 19:19 . 2009-02-04 08:55 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2010-03-31 17:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-11-20 18:51 . 2011-03-18 21:43 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-09-21 14:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Akamai NetSession Interface"="c:\documents and settings\Thomas Bueschel\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-11-17 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"WD Anywhere Backup Premium"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2010-03-05 222432]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-09-11 128232]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-01-14 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-01-14 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
.
c:\documents and settings\Thomas Bueschel\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2011-5-6 225280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-26 813584]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-18 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery
.
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [12/16/2010 12:04 PM 22312]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/21/2010 8:23 AM 89792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 10:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 4:10 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/13/2010 2:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/25/2008 10:16 AM 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/10/2009 11:45 AM 94880]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/21/2010 8:23 AM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [9/21/2010 8:23 AM 214904]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [3/4/2010 7:36 PM 25824]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [9/21/2010 8:23 AM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/21/2010 8:23 AM 150856]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/21/2010 8:23 AM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/21/2010 8:23 AM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/21/2010 8:23 AM 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2011 7:51 AM 136176]
S2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2/4/2009 12:10 AM 8960]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2/4/2009 12:10 AM 11264]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2011 7:51 AM 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/21/2010 8:23 AM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/21/2010 8:23 AM 87656]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2/4/2009 12:10 AM 16640]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-08 13:51]
.
2011-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-08 13:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 10.0.0.1
DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
FF - ProfilePath - c:\documents and settings\Thomas Bueschel\Application Data\Mozilla\Firefox\Profiles\s11dry5n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-23 14:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Thomas Bueschel\Application Data\WD\WD Anywhere Backup\sourceq.db3-journal
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2011-11-23 14:47:58
ComboFix-quarantined-files.txt 2011-11-23 20:47
.
Pre-Run: 273,079,259,136 bytes free
Post-Run: 273,415,372,800 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - DEE70EAACC47756B367CD3D76612A39B

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:36 AM

Posted 23 November 2011 - 05:01 PM

How is the PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 23 November 2011 - 05:36 PM

haven't used it much after combo fix; shlold I resume activity

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:36 AM

Posted 23 November 2011 - 05:43 PM

Hi,

yes, in particular I'd need to know which symptoms remain.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 29 November 2011 - 12:26 PM

Ok; resumed using the system and there are no redirects as experienced before; however, there are some other oddities such as google searches not proceeding to list of sites but to google main site. My McAfee virus identified Tool-Nircmd and quarantined but this might be one of the tools from bp? It also blocked akamai netsession interface from accessing the web. This is a fairly recent access request which was received on several ocassions within the last 30 days or so. I do not recall such program being used on my system before and do not know what it is for so I did not allow connection. Howeveer, I expect so see it occur again. The requests for network passwords have not recurred and otherwise the system seems to be oprating normally. the graphics interference have not recurred.

#12 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 29 November 2011 - 03:54 PM

I also just had another event where the screen went black then blue screen with message of physical memory dump. Shut down and restart went okay. The file ati2dvag was identified as the problem with an "indefinite loop"?

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:36 AM

Posted 30 November 2011 - 05:45 PM

Hi,

ok, so the nircmd detection is indeed likely from one of the tools we used. There's nothing to worry about that.

To stop the akamai messages uninstall the following programs:
Akamai NetSession Interface
Akamai NetSession Interface Service

Please also flush your dns and let me know if the google searches improve afterwards:
go to strart-> click on run as..., type in cmd. A black window will open. Into that window type ipconfig /flushdns.

Finally the BSOD you mention seems to be related to your graphic card. Let me know if it occurs again.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 tb12

tb12
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 30 November 2011 - 06:04 PM

I have uninstalled the two Akamai programs through control panel and run the dns flush, as instructed, successfully. The BSOD has not recurred; however, the graphics interference continues. In my original description I noted the graphics interferece with the slow scrolling pages on the internet (a wave action) which does continue. The BSOD has occurred periodically over the last several months and was one of the symptoms which led me to suspect a virus. The requests for network password ceased briefly (a day or two) following the combo fix appliation however, has returned. I will conduct several google searches on IE and FF and report the result.

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:36 AM

Posted 30 November 2011 - 06:13 PM

Please also run a scan with TDSSKiller for me:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users