Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, killed it... am I clean?


  • This topic is locked This topic is locked
27 replies to this topic

#1 JR2_Alaska

JR2_Alaska

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 06 January 2012 - 10:31 PM

When I opened my laptop this AM it had the BSOD and referenced the atapi.sys file. I booted into safe mode and ran TDSSKiller and it found: \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) I let it cure the infection and then rebooted and logged into my normal account with no problems. I ran Malwarebytes (I have a registered copy) and it found nothing. The computer seems to be acting about as good as it ever does but I wanted to be sure it was clean. Below are all the items one is supposed to attach, plus the TDSSKiller log from when I let it cure my problems.

One side note, I am unable to run defogger due to a lack of admin rights, however I am an admin on this computer???

Thanks in advance.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_24
Run by rathert at 16:25:39 on 2012-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2814 [GMT -9:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\lxeacoms.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\SlipStream\NetSwitch\WDisW.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Novadigm\radexecd.exe
C:\PROGRA~1\Novadigm\radsched.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
D:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
d:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\rathert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\rathert\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://gateway.slb.com/dana-na/auth/url_default/welcome.cgi
uDefault_Page_URL = hxxp://hub.slb.com
mDefault_Page_URL = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111202150332.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\rathert\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [EFS] c:\windows\system32\wscript.exe c:\progra~1\novadigm\SLB_EFS.VBS
mRun: [Norton Ghost 12.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [RUNRADTRAY] c:\progra~1\novadigm\radtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LWS] d:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: ecutec.eu
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP1-11759/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://gateway.slb.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 191.168.1.254
TCP: Interfaces\{5AE13C25-052F-41A7-A289-1FA9F4A47EBB} : DhcpNameServer = 191.168.1.254
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rathert\application data\mozilla\firefox\profiles\ypi99ins.default\
FF - plugin: c:\documents and settings\rathert\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: d:\program files\google\picasa3\npPicasa2.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\videolan1\vlc\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2009-4-8 404592]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-2 436728]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-1-16 14464]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-2 88544]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [2009-4-8 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [2009-4-8 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [2007-5-7 52432]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-28 652872]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-6-8 132416]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-2 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-2 145936]
R2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-9-6 29180768]
R2 NetSwitch;NetSwitch;c:\program files\slipstream\netswitch\WDisW.exe [2011-6-23 26112]
R2 RADEXECD;HP OVCM Notify Daemon;c:\progra~1\novadigm\radexecd.exe [2010-5-24 300776]
R2 RADSCHED;HP OVCM Scheduler Daemon;c:\progra~1\novadigm\radsched.exe [2010-5-24 194280]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2005-3-1 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2005-3-1 10752]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-28 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-2 171296]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-2 58456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2011-1-12 193192]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2009-4-8 161128]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;c:\windows\system32\drivers\el589nd5.sys [2008-1-15 26141]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [2005-1-10 10240]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2008-1-14 62048]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-3-2 24576]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-2 85152]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\ora817\bin\dbsnmp.exe --> c:\oracle\ora817\bin\dbsnmp.exe [?]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\ora817\bin\onrsd.exe --> c:\oracle\ora817\bin\ONRSD.EXE [?]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\ora817\bin\vppdc.exe --> c:\oracle\ora817\bin\vppdc.exe [?]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\ora817\apache\apache\apache.exe --> c:\oracle\ora817\apache\apache\Apache.exe [?]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\ora817/bin/pagntsrv.exe --> c:\oracle\Ora817/bin/pagntsrv.exe [?]
S3 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\ora817\bin\tnslsnr --> c:\oracle\ora817\bin\TNSLSNR [?]
S3 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\oracle.exe gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2008-8-31 9472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 R72_NT4;R72_NT4;c:\windows\system32\drivers\r72_nt4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S4 R72V2NT4;R72V2NT4; [x]
S4 RADSTGMS;HP OVCM MSI Redirector;c:\progra~1\novadigm\Radstgms.exe [2010-5-24 333544]
.
=============== Created Last 30 ================
.
2012-01-06 00:42:47 -------- d-----w- c:\documents and settings\rathert\application data\Two Pilots
2012-01-02 21:14:23 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-02 21:14:22 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-02 21:14:22 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-02 21:14:22 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-01 05:03:18 -------- d-----w- c:\documents and settings\rathert\application data\MPEG Streamclip
2011-12-29 08:06:00 -------- d-----w- c:\documents and settings\rathert\application data\Malwarebytes
2011-12-29 08:05:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-29 08:05:49 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 07:13:15 -------- d-----w- c:\program files\ESET
2011-12-15 23:38:21 -------- d-----w- c:\windows\ms
2011-12-09 03:51:48 -------- d-----w- c:\windows\system32\CCM
2011-12-09 03:50:33 -------- d-----w- c:\program files\Windows Imaging
2011-12-09 03:50:03 -------- dc-h--w- c:\windows\$UninstallRDC$
2011-12-09 03:49:48 -------- d-----w- c:\windows\system32\ccmsetup
2011-12-09 03:49:47 -------- d-----w- c:\program files\ConfigMgr 2007 Toolkit
.
==================== Find3M ====================
.
2011-12-02 23:02:15 88544 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-02 23:02:15 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-02 23:02:15 145936 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-02 23:02:14 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-12-02 23:02:13 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-02 23:02:13 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-02 23:02:13 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-02 23:02:12 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-11-17 10:39:59 52392 ----a-w- c:\windows\system32\InstallMissingPatches.vbs
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 16:26:07.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 PM

Posted 12 January 2012 - 10:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/436706 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:26 PM

Posted 13 January 2012 - 01:26 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 January 2012 - 02:19 AM

I was just running the new logs that the Bot asked for. Below are the DDS logs, GMER is still running and I can post that later if you still need it.

I cannot run defogger as I am no an administrator on the computer.



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_24
Run by rathert at 20:16:48 on 2012-01-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2501 [GMT -9:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\lxeacoms.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\SlipStream\NetSwitch\WDisW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\rathert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\rathert\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://gateway.slb.com/dana-na/auth/url_default/welcome.cgi
uDefault_Page_URL = hxxp://hub.slb.com
mDefault_Page_URL = hxxp://hub.slb.com
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111202150332.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\rathert\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Eye-Fi] "d:\program files\eye-fi\helper\EyeFiHelper.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [EmsService] EmsServiceHelper.exe
mRun: [EFS] c:\windows\system32\wscript.exe c:\progra~1\novadigm\SLB_EFS.VBS
mRun: [Norton Ghost 12.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: ecutec.eu
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP1-11759/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://gateway.slb.com/dana-cached/sc/JuniperSetupClient.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rathert\application data\mozilla\firefox\profiles\ypi99ins.default\
FF - plugin: c:\documents and settings\rathert\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: d:\program files\google\picasa3\npPicasa2.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\videolan1\vlc\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2009-4-8 404592]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-2 436728]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-1-16 14464]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-2 88544]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [2009-4-8 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [2009-4-8 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [2007-5-7 52432]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-28 652872]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-6-8 132416]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-2 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-2 145936]
R2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-9-6 29180768]
R2 NetSwitch;NetSwitch;c:\program files\slipstream\netswitch\WDisW.exe [2011-6-23 26112]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [2005-3-1 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [2005-3-1 10752]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-28 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-2 171296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2011-1-12 193192]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2009-4-8 161128]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;c:\windows\system32\drivers\el589nd5.sys [2008-1-15 26141]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [2005-1-10 10240]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2008-1-14 62048]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-3-2 24576]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-2 58456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-2 85152]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\ora817\bin\dbsnmp.exe --> c:\oracle\ora817\bin\dbsnmp.exe [?]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\ora817\bin\onrsd.exe --> c:\oracle\ora817\bin\ONRSD.EXE [?]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\ora817\bin\vppdc.exe --> c:\oracle\ora817\bin\vppdc.exe [?]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\ora817\apache\apache\apache.exe --> c:\oracle\ora817\apache\apache\Apache.exe [?]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\ora817/bin/pagntsrv.exe --> c:\oracle\Ora817/bin/pagntsrv.exe [?]
S3 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\ora817\bin\tnslsnr --> c:\oracle\ora817\bin\TNSLSNR [?]
S3 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\oracle.exe gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2008-8-31 9472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 R72_NT4;R72_NT4;c:\windows\system32\drivers\r72_nt4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S4 R72V2NT4;R72V2NT4; [x]
S4 RADEXECD;HP OVCM Notify Daemon;c:\progra~1\novadigm\radexecd.exe [2010-5-24 300776]
S4 RADSCHED;HP OVCM Scheduler Daemon;c:\progra~1\novadigm\radsched.exe [2010-5-24 194280]
S4 RADSTGMS;HP OVCM MSI Redirector;c:\progra~1\novadigm\Radstgms.exe [2010-5-24 333544]
.
=============== Created Last 30 ================
.
2012-01-10 01:54:55 -------- d-----w- c:\documents and settings\rathert\application data\Titanium
2012-01-10 01:54:14 -------- d-----w- c:\documents and settings\rathert\local settings\application data\Eye-Fi
2012-01-10 01:54:11 -------- d-----w- c:\documents and settings\rathert\application data\Eye-Fi
2012-01-09 23:53:43 -------- d-----w- c:\windows\ms
2012-01-06 00:42:47 -------- d-----w- c:\documents and settings\rathert\application data\Two Pilots
2012-01-02 21:14:23 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-02 21:14:22 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-02 21:14:22 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-02 21:14:22 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-01 05:03:18 -------- d-----w- c:\documents and settings\rathert\application data\MPEG Streamclip
2011-12-29 08:06:00 -------- d-----w- c:\documents and settings\rathert\application data\Malwarebytes
2011-12-29 08:05:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-29 08:05:49 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 07:13:15 -------- d-----w- c:\program files\ESET
.
==================== Find3M ====================
.
2012-01-09 23:07:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-02 23:02:15 88544 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-02 23:02:15 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-02 23:02:15 145936 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-02 23:02:14 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-12-02 23:02:13 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-02 23:02:13 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-02 23:02:13 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-02 23:02:12 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 10:39:59 52392 ----a-w- c:\windows\system32\InstallMissingPatches.vbs
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 20:17:49.25 ===============


Attach.txt Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/14/2008 6:47:47 PM
System Uptime: 1/11/2012 2:16:17 PM (30 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel® Core™2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2194/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 30 GiB total, 3.552 GiB free.
D: is FIXED (NTFS) - 119 GiB total, 50.437 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP197: 1/9/2012 4:31:38 PM - Software Distribution Service 3.0
RP198: 1/9/2012 4:53:50 PM - Installed Eye-Fi Center 3.4
RP199: 1/9/2012 7:43:41 PM - Removed Eye-Fi Center 3.4
RP200: 1/9/2012 8:23:01 PM - Removed HiJackThis
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
AD Migrator V2
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader X (10.1.1)
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AviSynth 2.5
BigFix Enterprise Client
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Gigabit Integrated Controller
BSB Reader
CCleaner
CCM Framework Tools
CmdHere Powertoy For Windows XP
CMG Windows Shield
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Configuration Manager Client
Dell Driver Download Manager
Dell Touchpad
Dell Wireless WLAN Card
DOX 2.5
DOXConvertor
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Entrust Desktop Solutions
ESET Online Scanner v3
Exif Pilot 4.4
FileZilla Client 3.1.5
Garmin MapSource
GDR 3080 for SQL Server Database Services 2005 ENU (KB970895)
GDR 3080 for SQL Server Tools and Workstation Components 2005 ENU (KB970895)
Google Chrome
Google Earth
Google Talk (remove only)
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Client Automation Application Manager Agent
HPCarePackCore
HPCarePackProducts
HTC Driver Installer
HTC Sync
i-District 2010.5
i-Handbook
I8kfanGUI V3.1
Image Resizer Powertoy for Windows XP
iTunes
Jalbum
Jalbum 8.0
Java Auto Updater
Java™ 6 Update 24
Juniper Networks Host Checker
Juniper Networks Network Connect 7.1.0
Juniper Networks, Inc. Setup Client
kPod
Lexmark S300-S400 Series
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
MapSource
McAfee Agent
McAfee VirusScan Enterprise
Media Player Codec Pack 3.4.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Conferencing Add-in for Microsoft Office Outlook
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Managed DirectX (1126)
Microsoft Office Access 2003 Runtime
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (DRILLING)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WinUsb 1.0
Microsoft XML Parser
Microsoft XML Parser and SDK
Mozilla Firefox 9.0.1 (x86 en-US)
Mozilla Thunderbird (8.0)
MrvlUsgTracking
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MWSnap 3
NetSwitch
Norton Ghost
NVIDIA Drivers
PDFCreator
PDSView 3.2
Picasa 3
PowerDVD
QuickTime
RDC
Rights Management Add-on for Internet Explorer
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Schlumberger DeXa.Badge SCUK 4.4.4.1 Commercial
Schlumberger Licensing
Schlumberger PC Security
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB2618444)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Segoe UI
SigmaTel Audio
SLB Classification
Sonic Activation Module
Timbuktu Pro
Time Zone Data Update Tool for Microsoft Office Outlook
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Windows Internet Explorer 7 (KB980182)
Visual FoxPro ODBC Driver
VLC media player 1.1.11
WebEx
WebEx Meeting Manager for Firefox/Netscape/Chrome
WebFldrs XP
WIMGAPI
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Enterprise Deployment
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WinZip 14.5
Wondershare Video Converter Platinum(Build 5.1.1.0)
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
1/9/2012 4:32:57 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Installer service to connect.
1/9/2012 4:32:57 PM, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/9/2012 4:32:57 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/9/2012 4:31:11 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'Dd132.scr' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
1/9/2012 4:25:20 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:20 PM, error: Service Control Manager [7034] - The lxea_device service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:20 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:20 PM, error: Service Control Manager [7034] - The Entrust Login Interface service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:20 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:20 PM, error: Service Control Manager [7031] - The Juniper Network Connect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
1/9/2012 4:25:20 PM, error: Service Control Manager [7031] - The BES Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/9/2012 4:25:19 PM, error: Service Control Manager [7034] - The UMVPFSrv service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:19 PM, error: Service Control Manager [7034] - The EMS service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:19 PM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:25:19 PM, error: Service Control Manager [7031] - The CMG Shield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Reboot the machine.
1/9/2012 4:25:19 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/9/2012 4:16:04 PM, error: Service Control Manager [7034] - The HP OVCM Scheduler Daemon service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 4:16:04 PM, error: Service Control Manager [7034] - The HP OVCM Notify Daemon service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 3:16:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
1/9/2012 3:16:38 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/9/2012 2:32:56 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
1/9/2012 2:31:34 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {05D1D5D8-18D1-4B83-85ED-A0F99D53C885} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
1/9/2012 2:24:18 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 6 time(s).
1/9/2012 2:20:32 PM, error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/9/2012 2:14:45 PM, error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/9/2012 1:08:03 PM, error: NETLOGON [5719] - No Domain Controller is available for domain NAM due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
1/7/2012 12:44:38 AM, error: Service Control Manager [7034] - The NetSwitch service terminated unexpectedly. It has done this 1 time(s).
1/6/2012 4:35:51 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
1/6/2012 4:13:18 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee McShield service, but this action failed with the following error: An instance of the service is already running.
1/6/2012 4:13:13 PM, error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/6/2012 3:34:11 PM, error: Service Control Manager [7022] - The Tb2 Launch service hung on starting.
1/6/2012 3:26:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service Norton Ghost with arguments "" in order to run the server: {F3DC957F-00CA-4D2A-A9AD-03FA855AAE38}
1/6/2012 3:02:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
1/6/2012 12:47:54 PM, error: Service Control Manager [7022] - The NetSwitch service hung on starting.
1/6/2012 12:47:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxeaCATSCustConnectService service to connect.
1/6/2012 12:47:25 PM, error: Service Control Manager [7000] - The lxeaCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/6/2012 12:46:31 PM, error: Print [23] - Printer HP LaserJet P1006 failed to initialize because a suitable HP LaserJet P1006 driver could not be found.
1/6/2012 12:46:28 PM, error: NETLOGON [5719] - No Domain Controller is available for domain NAM due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
1/6/2012 12:44:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/6/2012 12:34:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/6/2012 12:28:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm Tosrfcom
1/6/2012 12:17:00 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
1/6/2012 12:14:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tosrfcom
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 12:14:07 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 12:08:37 PM, error: Dhcp [1002] - The IP address lease 191.168.1.2 for the Network Card with network address 001FE2C69532 has been denied by the DHCP server 191.168.1.254 (The DHCP Server sent a DHCPNACK message).
1/6/2012 1:59:21 AM, error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/5/2012 6:21:37 PM, error: Dhcp [1002] - The IP address lease 163.188.83.7 for the Network Card with network address 00FF98AC948A has been denied by the DHCP server 163.185.27.4 (The DHCP Server sent a DHCPNACK message).
1/5/2012 12:01:11 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 191.168.1.1 with the system having network hardware address 10:9A:DD:2E:F2:7F. Network operations on this system may be disrupted as a result.
1/5/2012 1:59:26 AM, error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/11/2012 1:55:35 PM, error: Dhcp [1002] - The IP address lease 163.188.177.131 for the Network Card with network address 001FE2C69532 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================


I have a new GMER log if you want it.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:26 PM

Posted 13 January 2012 - 03:13 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 January 2012 - 03:35 PM

Here is the combofix log. I am going to reboot and see how the computer is acting. Recently (since I used TDSS Killer to clean the inital problem) the computer has taken forever to start up. It logs into windows fine but then take forever to actually start all the crap and actually becomes unresponsive at times.

Combofix Log:

ComboFix 12-01-13.03 - rathert 01/13/2012 11:17:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2566 [GMT -9:00]
Running from: c:\documents and settings\rathert\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\dd\Application Data\3M
c:\documents and settings\dd\Application Data\3M\PSNotes\PSNData
c:\documents and settings\rathert\Application Data\3M
c:\documents and settings\rathert\Application Data\3M\PSNotes\PSNData
c:\documents and settings\rathert\WINDOWS
C:\Thumbs.db
c:\windows\SYSTEM\systemdrive.bat
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\spool\prtprocs\w32x86\HP1006S(2).DLL
c:\windows\system32\spool\prtprocs\w32x86\HP1006S(3).DLL
c:\windows\system32\spool\prtprocs\w32x86\HP1006S(4).DLL
c:\windows\system32\spool\prtprocs\w32x86\HP1006S(5).DLL
c:\windows\system32\spool\prtprocs\w32x86\HP1006S(6).DLL
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
.
.
2012-01-13 20:10 . 2012-01-13 20:10 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-10 01:54 . 2012-01-10 01:54 -------- d-----w- c:\documents and settings\rathert\Application Data\Titanium
2012-01-10 01:54 . 2012-01-10 03:17 -------- d-----w- c:\documents and settings\rathert\Local Settings\Application Data\Eye-Fi
2012-01-10 01:54 . 2012-01-10 01:54 -------- d-----w- c:\documents and settings\rathert\Application Data\Eye-Fi
2012-01-09 23:53 . 2012-01-09 23:53 -------- d-----w- c:\windows\ms
2012-01-06 00:42 . 2012-01-06 00:42 -------- d-----w- c:\documents and settings\rathert\Application Data\Two Pilots
2012-01-02 21:14 . 2012-01-02 21:14 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-02 21:14 . 2012-01-02 21:14 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-02 21:14 . 2012-01-02 21:14 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-02 21:14 . 2012-01-02 21:14 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-01 05:03 . 2012-01-01 05:03 -------- d-----w- c:\documents and settings\rathert\Application Data\MPEG Streamclip
2011-12-29 08:06 . 2011-12-29 08:06 -------- d-----w- c:\documents and settings\rathert\Application Data\Malwarebytes
2011-12-29 08:05 . 2011-12-29 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-29 08:05 . 2011-12-11 00:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 07:13 . 2011-12-29 07:13 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-09 23:07 . 2011-09-05 21:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-02 23:02 . 2011-12-03 00:03 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-02 23:02 . 2011-12-03 00:03 88544 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-02 23:02 . 2011-12-03 00:03 145936 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-02 23:02 . 2011-12-03 00:03 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-12-02 23:02 . 2011-12-03 00:03 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-02 23:02 . 2011-12-03 00:03 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-02 23:02 . 2011-12-03 00:03 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-02 23:02 . 2011-12-03 00:03 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 10:39 . 2011-11-17 10:39 52392 ----a-w- c:\windows\system32\InstallMissingPatches.vbs
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:43 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2010-12-05 09:41 . 2009-03-06 21:06 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-11-18 23:22 . 2009-03-06 21:06 574264 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-07-15 20:57 . 2009-03-06 21:07 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-05 19:00 . 2009-06-05 19:00 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-01-02 21:14 . 2011-03-24 08:21 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5730144]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"EmsService"="EmsServiceHelper.exe" [2009-04-08 1967464]
"EFS"="c:\windows\SYSTEM32\WScript.EXE" [2008-05-08 155648]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-11-13 2037096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-06-08 333120]
"Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\documents and settings\dd\Start Menu\Programs\Startup\
Shortcut to TO DO.lnk - d:\work stuff\TO DO.doc [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 18:13 161128 ----a-w- c:\windows\system32\CmgShieldNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 00:44 34304 ----a-w- c:\windows\system32\ScCertProp.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 18:18 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-151122\Scripts\Logon\0\0]
"Script"=changeprofile.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-151122\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\0\0]
"Script"=changeprofile.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\1\0]
"Script"=SMSMigration_C03_0_9.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\2\0]
"Script"=MigratorUpn.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\3\0]
"Script"=RadiaVeriClean_040309.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\4\0]
"Script"=CertRemove.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\5\0]
"Script"=outlook_scan.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\6\0]
"Script"=outlook_scan.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\RadUIShell.exe"= c:\\Program Files\\Novadigm\\raduishell.exe
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxeacoms.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52311:UDP"= 52311:UDP:BES Client
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/8/2009 9:14 AM 404592]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [1/16/2008 7:37 PM 14464]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/2/2011 3:03 PM 88544]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/8/2009 9:11 AM 2057576]
R2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 9:08 AM 709992]
R2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [5/7/2007 1:19 PM 52432]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/28/2011 11:05 PM 652872]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/2/2011 3:03 PM 145936]
R2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [9/6/2009 4:19 AM 29180768]
R2 NetSwitch;NetSwitch;c:\program files\SlipStream\NetSwitch\WDisW.exe [6/23/2011 3:56 PM 26112]
R3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [3/1/2005 1:43 AM 11264]
R3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [3/1/2005 1:43 AM 10752]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/28/2011 11:05 PM 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/13/2012 11:10 AM 40776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2010 3:42 AM 136176]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [1/12/2011 12:53 PM 193192]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 9:13 AM 161128]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;c:\windows\system32\drivers\el589nd5.sys [1/15/2008 10:41 AM 26141]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [1/10/2005 9:49 AM 10240]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [1/14/2008 5:22 PM 62048]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2010 3:42 AM 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [3/2/2011 10:38 AM 24576]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/2/2011 3:03 PM 85152]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 7:18 PM 23680]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\Ora817\bin\dbsnmp.exe --> c:\oracle\Ora817\bin\dbsnmp.exe [?]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\Ora817\BIN\ONRSD.EXE --> c:\oracle\Ora817\BIN\ONRSD.EXE [?]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\Ora817\bin\vppdc.exe --> c:\oracle\Ora817\bin\vppdc.exe [?]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\Ora817\Apache\Apache\Apache.exe --> c:\oracle\Ora817\Apache\Apache\Apache.exe [?]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\Ora817/bin/pagntsrv.exe --> c:\oracle\Ora817/bin/pagntsrv.exe [?]
S3 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\Ora817\BIN\TNSLSNR --> c:\oracle\Ora817\BIN\TNSLSNR [?]
S3 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\ORACLE.EXE gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [8/31/2008 8:46 PM 9472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S4 R72V2NT4;R72V2NT4; [x]
S4 RADEXECD;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [5/24/2010 1:18 PM 300776]
S4 RADSCHED;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [5/24/2010 1:21 PM 194280]
S4 RADSTGMS;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [5/24/2010 1:21 PM 333544]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - mfeavfk01
*Deregistered* - uxldipob
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2011-10-31 23:43 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-13 c:\windows\Tasks\At1.job
- c:\windows\SYSTEM32\WScript.exe [2004-08-04 11:24]
.
2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc8ca0b7249bec.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-21 12:42]
.
2012-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1035525444-1801674531-21960Core1cc8ec23dd7423e.job
- c:\documents and settings\rathert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 10:16]
.
2012-01-13 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 22:28]
.
2012-01-13 c:\windows\Tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
2012-01-13 c:\windows\Tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
2012-01-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-07-20 06:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://gateway.slb.com/dana-na/auth/url_default/welcome.cgi
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: ecutec.eu
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\rathert\Application Data\Mozilla\Firefox\Profiles\ypi99ins.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Eye-Fi - d:\program files\Eye-Fi\Helper\EyeFiHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-13 11:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\rathert\Application Data\Microsoft\Outlook\CredDB.CEF 3256 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraHome817PagingServer]
"ImagePath"="c:\oracle\Ora817/bin/pagntsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraHome817TNSListener]
"ImagePath"="c:\oracle\Ora817\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1224)
c:\windows\system32\CmgShieldNP.dll
c:\windows\system32\ScCertProp.dll
.
Completion time: 2012-01-13 11:24:55
ComboFix-quarantined-files.txt 2012-01-13 20:24
.
Pre-Run: 3,705,544,704 bytes free
Post-Run: 4,028,461,056 bytes free
.
- - End Of File - - 9F520FB2D81EA7BCC7E7BD4A33EACC9D

#7 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 January 2012 - 03:46 PM

After I rebooted adobe reader updated automatically and the computer seems much better. It still took some time for it to complete the start up sequence but its an old slow laptop and its much better than it was previously.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:26 PM

Posted 13 January 2012 - 05:00 PM

Hello


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 January 2012 - 07:20 PM

Okay I reset DMA by saving the script to my desktop and running it. I rebooted and now the system hangs after I log in. The desktop comes up but it never finishes loading the networking. When I move the mouse over the start bar it has the hour glass like its waiting. If I click on anything nothing happens. The processor does not seem to be running wide open so something is hanging.
I am in safe mode posting this. I am going to restart again in normal mode and let the computer run for a while and see if it will eventually finish staring up.

#10 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 January 2012 - 07:26 PM

Okay I rebooted again and the start up was normal. Guess it just needed a couple reboots to sort itself out.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:26 PM

Posted 13 January 2012 - 09:46 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 14 January 2012 - 12:25 AM

I ran the script with no problems. I then ran combofix and it asked to be allowed to be updated. It updated and then I ran it again. It goes all the way to step 50 and then hangs. I have tried it twice, both times I had to reboot to make the computer work again. I am in safe mode now and I will try and run combo fix in safe mode and see what happens.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:26 PM

Posted 14 January 2012 - 12:27 AM

run in safe mode and let me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 JR2_Alaska

JR2_Alaska
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 14 January 2012 - 12:42 AM

It ran fine in safe mode, here is the log.

ComboFix 12-01-13.05 - rathert 01/13/2012 20:31:54.5.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3027 [GMT -9:00]
Running from: c:\documents and settings\rathert\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-10 01:54 . 2012-01-10 01:54 -------- d-----w- c:\documents and settings\rathert\Application Data\Titanium
2012-01-10 01:54 . 2012-01-10 03:17 -------- d-----w- c:\documents and settings\rathert\Local Settings\Application Data\Eye-Fi
2012-01-10 01:54 . 2012-01-10 01:54 -------- d-----w- c:\documents and settings\rathert\Application Data\Eye-Fi
2012-01-09 23:53 . 2012-01-09 23:53 -------- d-----w- c:\windows\ms
2012-01-06 00:42 . 2012-01-06 00:42 -------- d-----w- c:\documents and settings\rathert\Application Data\Two Pilots
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-02 21:14 . 2012-01-02 21:14 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-02 21:14 . 2012-01-02 21:14 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-02 21:14 . 2012-01-02 21:14 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-02 21:14 . 2012-01-02 21:14 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-01 05:03 . 2012-01-01 05:03 -------- d-----w- c:\documents and settings\rathert\Application Data\MPEG Streamclip
2011-12-29 08:06 . 2011-12-29 08:06 -------- d-----w- c:\documents and settings\rathert\Application Data\Malwarebytes
2011-12-29 08:05 . 2011-12-29 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-29 08:05 . 2011-12-11 00:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 07:13 . 2011-12-29 07:13 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-09 23:07 . 2011-09-05 21:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-02 23:02 . 2011-12-03 00:03 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-02 23:02 . 2011-12-03 00:03 88544 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-02 23:02 . 2011-12-03 00:03 145936 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-02 23:02 . 2011-12-03 00:03 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-12-02 23:02 . 2011-12-03 00:03 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-02 23:02 . 2011-12-03 00:03 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-02 23:02 . 2011-12-03 00:03 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-02 23:02 . 2011-12-03 00:03 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 10:39 . 2011-11-17 10:39 52392 ----a-w- c:\windows\system32\InstallMissingPatches.vbs
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:43 . 2004-08-04 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2010-12-05 09:41 . 2009-03-06 21:06 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-11-18 23:22 . 2009-03-06 21:06 574264 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-07-15 20:57 . 2009-03-06 21:07 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-06-05 19:00 . 2009-06-05 19:00 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-01-02 21:14 . 2011-03-24 08:21 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-13_20.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2012-01-14 05:25 519296 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2012-01-14 05:25 100514 c:\windows\system32\perfc009.dat
+ 2012-01-03 17:58 . 2012-01-03 17:58 15929344 c:\windows\Installer\3c1bf.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5730144]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2009-04-08 247144]
"EmsService"="EmsServiceHelper.exe" [2009-04-08 1967464]
"EFS"="c:\windows\SYSTEM32\WScript.EXE" [2008-05-08 155648]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-11-13 2037096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-06-08 333120]
"Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\documents and settings\dd\Start Menu\Programs\Startup\
Shortcut to TO DO.lnk - d:\work stuff\TO DO.doc [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
2009-04-08 18:13 161128 ----a-w- c:\windows\system32\CmgShieldNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slbScCertProp]
2003-12-20 00:44 34304 ----a-w- c:\windows\system32\ScCertProp.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 18:18 81920 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-151122\Scripts\Logon\0\0]
"Script"=changeprofile.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-151122\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\0\0]
"Script"=changeprofile.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\0\1]
"Script"=BESProcessLow.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\1\0]
"Script"=SMSMigration_C03_0_9.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\2\0]
"Script"=MigratorUpn.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\3\0]
"Script"=RadiaVeriClean_040309.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\4\0]
"Script"=CertRemove.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\5\0]
"Script"=outlook_scan.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-1035525444-1801674531-21960\Scripts\Logon\6\0]
"Script"=outlook_scan.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novadigm\\radtray.exe"=
"c:\\Program Files\\Novadigm\\RadUIShell.exe"= c:\\Program Files\\Novadigm\\raduishell.exe
"c:\\Program Files\\Novadigm\\radexecd.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxeacoms.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52311:UDP"= 52311:UDP:BES Client
"139:TCP"= 139:TCP:IKE (TCP 139)HKLM
"445:TCP"= 445:TCP:IKE (TCP 445)
"137:UDP"= 137:UDP:IKE (UDP 137)
"138:UDP"= 138:UDP:IKE (UDP 138)
"81:TCP"= 81:TCP:(TCP 81)
"8080:TCP"= 8080:TCP:(TCP 8080)
"8081:TCP"= 8081:TCP:(TCP 8081)
"8082:TCP"= 8082:TCP:(TCP 8082)
"8443:TCP"= 8443:TCP:(TCP 8443)
"8444:TCP"= 8444:TCP:(TCP 8444)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5742:TCP"= 5742:TCP:TransAct
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/8/2009 9:14 AM 404592]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/2/2011 3:03 PM 88544]
R2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/8/2009 9:11 AM 2057576]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/2/2011 3:03 PM 145936]
S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [1/16/2008 7:37 PM 14464]
S1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
S1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 EMS;EMS;c:\windows\system32\EmsService.exe [4/8/2009 9:08 AM 709992]
S2 ETFSDNT;Entrust File System Hook;c:\windows\system32\Etfsdrv.sys [5/7/2007 1:19 PM 52432]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2010 3:42 AM 136176]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [1/12/2011 12:53 PM 193192]
S2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/28/2011 11:05 PM 652872]
S2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [9/6/2009 4:19 AM 29180768]
S2 NetSwitch;NetSwitch;c:\program files\SlipStream\NetSwitch\WDisW.exe [6/23/2011 3:56 PM 26112]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/8/2009 9:13 AM 161128]
S3 Egatebus;Egatebus;c:\windows\system32\drivers\egatebus.sys [3/1/2005 1:43 AM 11264]
S3 Egaterdr;Egaterdr;c:\windows\system32\drivers\egaterdr.sys [3/1/2005 1:43 AM 10752]
S3 EL3C589;3Com Megahertz LAN PC Card Driver;c:\windows\system32\drivers\el589nd5.sys [1/15/2008 10:41 AM 26141]
S3 ETDSVC;Entrust/TrueDelete™;c:\windows\system32\etdsvc.exe [1/10/2005 9:49 AM 10240]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [1/14/2008 5:22 PM 62048]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2010 3:42 AM 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [3/2/2011 10:38 AM 24576]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/28/2011 11:05 PM 20464]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/2/2011 3:03 PM 85152]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 7:18 PM 23680]
S3 OracleOraHome817Agent;OracleOraHome817Agent;c:\oracle\Ora817\bin\dbsnmp.exe --> c:\oracle\Ora817\bin\dbsnmp.exe [?]
S3 OracleOraHome817ClientCache;OracleOraHome817ClientCache;c:\oracle\Ora817\BIN\ONRSD.EXE --> c:\oracle\Ora817\BIN\ONRSD.EXE [?]
S3 OracleOraHome817DataGatherer;OracleOraHome817DataGatherer;c:\oracle\Ora817\bin\vppdc.exe --> c:\oracle\Ora817\bin\vppdc.exe [?]
S3 OracleOraHome817HTTPServer;OracleOraHome817HTTPServer;c:\oracle\Ora817\Apache\Apache\Apache.exe --> c:\oracle\Ora817\Apache\Apache\Apache.exe [?]
S3 OracleOraHome817PagingServer;OracleOraHome817PagingServer;c:\oracle\Ora817/bin/pagntsrv.exe --> c:\oracle\Ora817/bin/pagntsrv.exe [?]
S3 OracleOraHome817TNSListener;OracleOraHome817TNSListener;c:\oracle\Ora817\BIN\TNSLSNR --> c:\oracle\Ora817\BIN\TNSLSNR [?]
S3 OracleServicegfpc8;OracleServicegfpc8;c:\oracle\ora817\bin\ORACLE.EXE gfpc8 --> c:\oracle\ora817\bin\ORACLE.EXE gfpc8 [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [8/31/2008 8:46 PM 9472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 R72_NT4;R72_NT4;c:\windows\system32\drivers\R72_NT4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S4 R72V2NT4;R72V2NT4; [x]
S4 RADEXECD;HP OVCM Notify Daemon;c:\progra~1\Novadigm\radexecd.exe [5/24/2010 1:18 PM 300776]
S4 RADSCHED;HP OVCM Scheduler Daemon;c:\progra~1\Novadigm\radsched.exe [5/24/2010 1:21 PM 194280]
S4 RADSTGMS;HP OVCM MSI Redirector;c:\progra~1\Novadigm\Radstgms.exe [5/24/2010 1:21 PM 333544]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MDMXSDK
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2011-10-31 23:43 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-13 c:\windows\Tasks\At1.job
- c:\windows\SYSTEM32\WScript.exe [2004-08-04 11:24]
.
2012-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc8ca0b7249bec.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-21 12:42]
.
2012-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1035525444-1801674531-21960Core1cc8ec23dd7423e.job
- c:\documents and settings\rathert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 10:16]
.
2012-01-13 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 22:28]
.
2012-01-14 c:\windows\Tasks\User_Feed_Synchronization-{3593033B-F2BD-4A4A-BADC-A441AFBBF125}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
2012-01-14 c:\windows\Tasks\User_Feed_Synchronization-{45E63BAE-507C-482C-97D2-CF7BF189B9A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
2012-01-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-07-20 06:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://gateway.slb.com/dana-na/auth/url_default/welcome.cgi
mStart Page = hxxp://www.hub.slb.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: deeptec.com.br
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: ecutec.eu
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smartforce.com
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
Trusted Zone: geoquest.com
Trusted Zone: intouchsupport.com
Trusted Zone: mydexa.com
Trusted Zone: slb.com
Trusted Zone: standardchartered.com\webbank
Trusted Zone: virtualbranches.com
Trusted Zone: westerngeco.com
TCP: DhcpNameServer = 192.168.2.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\rathert\Application Data\Mozilla\Firefox\Profiles\ypi99ins.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-13 20:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraHome817PagingServer]
"ImagePath"="c:\oracle\Ora817/bin/pagntsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOraHome817TNSListener]
"ImagePath"="c:\oracle\Ora817\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\CmgShieldNP.dll
c:\windows\system32\ScCertProp.dll
.
- - - - - - - > 'explorer.exe'(476)
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-13 20:37:56
ComboFix-quarantined-files.txt 2012-01-14 05:37
ComboFix2.txt 2012-01-13 20:24
.
Pre-Run: 3,975,262,208 bytes free
Post-Run: 3,947,569,152 bytes free
.
- - End Of File - - 360689D06E2432BA32B98AF5FEC1032B

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:26 PM

Posted 14 January 2012 - 12:53 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java™ 6 Update 24

and click on remove



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users