Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUM.Hijack.Help


  • This topic is locked This topic is locked
4 replies to this topic

#1 marks090

marks090

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 25 December 2012 - 03:43 PM

Not sure I have posted in the right area


I have a weird issue. XP latest service pack. Mcafee loaded and Malwarebytes load. As administrator no pum but as user I get pum, won't remove. Also prevents excell spreadsheet errors (corrupted or read-only), also PDF errors cannot open Adobe Acrobat/reader as a user but PDF and excel open under administrator. Please help? In both modes adm or user microsoft updates fails. Please help.
Does not remove on reboot

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Delete on reboot.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
nothing is showing up

BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 27 December 2012 - 01:36 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
    • DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.
    • DDS.pif
    • DDS.COM
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Posted Image

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.


Please post the logs and let me know if the problem persists.

#3 marks090

marks090
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 27 December 2012 - 10:21 PM

Thanks for your help
Recovery conscole never came up
ComboFix 12-12-27.03 - Administrator 12/27/2012 21:11:17.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2523 [GMT -5:00]
Running from: c:\documents and settings\mark090\Desktop\ComboFix.exe
FW: McAfee Host Intrusion Prevention Firewall *Disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 )))))))))))))))))))))))))))))))
.
.
2012-12-27 22:50 . 2012-12-27 22:50 -------- d-----w- c:\program files\ESET
2012-12-25 20:18 . 2009-05-15 15:04 39816 ----a-w- c:\windows\system32\HIPIS0e011aa.dll
2012-12-24 21:04 . 2012-12-24 21:04 -------- d-----w- c:\windows\ERUNT
2012-12-24 21:03 . 2012-12-24 21:03 -------- d-----w- C:\JRT
2012-12-24 18:05 . 2012-12-24 18:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\ElevatedDiagnostics
2012-12-23 23:22 . 2012-12-23 23:22 -------- d-----w- c:\program files\InCode Solutions
2012-12-23 02:29 . 2012-12-23 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-12-22 22:50 . 2012-12-22 22:50 -------- d-----w- c:\documents and settings\mark090\Application Data\SUPERAntiSpyware.com
2012-12-22 22:49 . 2012-12-22 23:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-22 22:49 . 2012-12-22 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-12-19 01:22 . 2012-12-19 01:22 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-18 16:00 . 2012-12-18 16:00 -------- d-----w- c:\windows\system32\wbem\Repository
2012-12-18 15:24 . 2009-05-15 15:04 39816 ----a-w- c:\windows\system32\HIPIS0e011aa(2)(3).dll
2012-12-14 00:32 . 2012-12-14 00:32 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-12-14 00:27 . 2012-12-19 00:36 3430 ----a-w- c:\windows\system32\tmp.reg
2012-12-13 22:33 . 2006-10-12 07:10 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-12-13 22:04 . 1997-06-25 19:24 40448 ----a-w- c:\windows\system32\regobj.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-06 07:44 . 2009-10-28 15:59 143040 ----a-w- c:\windows\system32\KevlarSigs.dll
2012-10-29 20:56 . 2012-06-06 18:55 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-10-29 20:56 . 2009-10-28 15:59 159608 ----a-w- c:\windows\system32\mfevtps.exe.25b0.deleteme
2012-10-29 20:56 . 2009-07-30 20:12 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-10-27 23:44 . 2012-10-27 23:44 54016 ----a-w- c:\windows\system32\drivers\jqxaocj.sys
2012-10-22 08:37 . 2002-08-29 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2002-08-29 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 23:54 . 2012-10-29 17:24 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E610F200-F759-4FA1-8CC4-6034F660B022}]
2012-01-31 19:51 850536 ----a-w- c:\program files\Viewfinity\Agent\x32\vf_bho.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAZEL Delivery Agent"="c:\program files\Dazel\Output Envoy\bin\DcDaemon.exe" [2004-07-14 53248]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2009-01-15 674368]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2009-06-25 979104]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2012-07-30 5164632]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"VfTrayIcon"="c:\program files\Viewfinity\Agent\x32\vf_host.exe" [2012-01-31 292968]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-08-12 82256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Specops Password Client"="c:\windows\system32\SppClient.exe" [2011-11-11 865880]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-11-15 333376]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-15 215360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CyberSafe TrustBroker Credentials Manager.lnk - c:\program files\CyberSafe\bin\CSTBcred32.exe [2011-2-7 1110344]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Printkey2000.lnk - c:\program files\PrintKey2000\printkey 2000.EXE [2005-3-24 110806]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= "c:\windows\system32\NalExpEx.dll" [2001-07-16 118784]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 15:00 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SoPwdClt]
2011-11-11 19:46 192088 ----a-w- c:\windows\system32\Spp3Clt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1682089882-2941306068-3343523542-436103\Scripts\Logon\0\0]
"Script"=\\mbu.ad.\netlogon\MBULoginScript\MBULoginScript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1682089882-2941306068-3343523542-436103\Scripts\Logon\1\0]
"Script"=\\mbu.ad..com\netlogon\MBUDefaultUserPolicy\MBUDefaultUserPolicy.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1682089882-2941306068-3343523542-436103\Scripts\Logon\1\1]
"Script"=\\mbu.ad..com\netlogon\LTOLoginScript\LTO-LoginScriptv30.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1682089882-2941306068-3343523542-47834\Scripts\Logon\0\0]
"Script"=\\mbu.ad..com\NETLOGON\MBULoginScript\MBULoginScript-MWF.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1682089882-2941306068-3343523542-47834\Scripts\Logon\0\1]
"Script"=\\mbu.ad..com\NETLOGON\WSLoginScript\WS-Script-MWF.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1682089882-2941306068-3343523542-47834\Scripts\Logon\1\0]
"Script"=\\mbu.ad..com\netlogon\MBULoginScript\MBULoginScript.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1682089882-2941306068-3343523542-47834\Scripts\Logon\2\0]
"Script"=\\mbu.ad..com\netlogon\DomWSScript\DomWS-Script.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [1/15/2009 11:33 AM 217024]
R0 ssfs0bbd;ssfs0bbd;c:\windows\system32\drivers\ssfs0bbd.sys [2/17/2010 5:31 PM 28936]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 9:08 AM 65584]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2/15/2012 8:09 AM 86656]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/6/2012 1:55 PM 89528]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R1 vfdrv;vfdrv;c:\windows\system32\drivers\vfdrv.sys [7/13/2011 5:34 PM 234216]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 1:54 PM 116608]
R2 DAZEL Delivery Agent;DAZEL Delivery Agent;DcPSI.exe --> DcPSI.exe [?]
R2 enstart;enstart;c:\windows\system32\enstart.exe [2/15/2012 8:09 AM 946176]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [6/25/2009 1:50 PM 1489984]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [5/26/2010 6:30 PM 132464]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [5/12/2011 11:48 AM 324928]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/13/2012 7:32 PM 159608]
R2 NightWatchman;1E NightWatchman;c:\program files\1E\Agent\NightWatchman\NwmSvc.exe [2/28/2011 6:59 PM 1110360]
R2 NomadBranch;1E Nomad Branch;c:\program files\1E\NomadBranch\NomadBranch.exe [4/11/2012 9:21 PM 1440592]
R2 NwmSleepless;NwmSleepless;c:\windows\system32\drivers\NwmSleepless.sys [12/15/2011 12:04 PM 38464]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [1/15/2009 11:34 AM 621120]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [1/15/2009 11:34 AM 150080]
R2 VF_Agent;Viewfinity Agent;c:\program files\Viewfinity\Agent\vf_agent.exe [1/31/2012 2:49 PM 15316584]
R2 WakeUpAgt;1E WakeUp Agent;c:\program files\1E\Agent\WakeUp\WakeUpAgt.exe [2/28/2011 7:00 PM 426824]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [10/28/2009 10:58 AM 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [10/28/2009 10:59 AM 110384]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [10/28/2009 10:59 AM 38200]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [10/28/2009 10:59 AM 35584]
R3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [10/28/2009 10:59 AM 35696]
S2 SSI Survey Client;SSI Survey Client;c:\program files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE --> c:\program files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE [?]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [10/28/2009 10:58 AM 44680]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;\??\c:\windows\system32\drivers\hitmanpro36.sys --> c:\windows\system32\drivers\hitmanpro36.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [12/18/2012 8:22 PM 35144]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/6/2012 1:55 PM 87656]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [4/14/2010 8:29 PM 32408]
S3 SSI Client Installer;SSI Survey Client Installer Service;c:\windows\system32\SCInstallerNT.exe [8/4/2009 8:01 AM 466944]
S3 VF_Updater;Viewfinity Updater;c:\program files\Viewfinity\Agent\vf_updater.exe [1/31/2012 2:44 PM 1473024]
S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [7/20/2009 7:57 AM 217600]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [7/20/2009 7:57 AM 48140]
S4 megasas;megasas;c:\windows\system32\drivers\megasas.sys [7/20/2009 7:57 AM 19712]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 60822464
*NewlyCreated* - 73055407
*Deregistered* - 60822464
*Deregistered* - 73055407
*Deregistered* - mfeavfk01
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4C941B5A-4CE7-4D2A-9DC4-945906BEBB45}]
2008-05-19 05:57 95744 ----a-w- c:\windows\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B59D1FC5-960F-40AC-A4E2-9FF61E8DF3B3}]
2008-05-19 05:57 95744 ----a-w- c:\windows\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E99834E9-F1EB-4F58-B6C8-C2DFEC08881D}]
2008-05-19 05:57 95744 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-13 13:35]
.
2012-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://dnet.dominionnet.com/
uInternet Settings,ProxyOverride = <local>
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone:
Trusted Zone: intuit.com\ttlc
Trusted Zone: qwizonline.com\www
Trusted Zone: vups.org\newtin
Trusted Zone: vups.org\newtina
Trusted Zone: vups.org\newtinb
Trusted Zone:
Trusted Zone: qwizonline.com\www
Trusted Zone: vups.org\newtin
Trusted Zone: vups.org\newtina
Trusted Zone: vups.org\newtinb
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C63752A5-57DE-4B1A-8174-139505904F0F} - hxxp:///CallParrotWebClient/Public/CallParrotActiveProxy.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-27 21:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1595704953-3681896504-3241715978-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,e8,5b,1e,7b,ab,19,48,b2,5c,be,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,f1,51,77,cb,63,30,42,be,35,42,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1376)
c:\windows\system32\pssogina.dll
c:\windows\system32\bcmlogon.dll
c:\windows\system32\SPP3Clt.dll
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
c:\windows\system32\igfxdev.dll
c:\windows\system32\msi.dll
.
- - - - - - - > 'lsass.exe'(1432)
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
.
- - - - - - - > 'csrss.exe'(1348)
c:\windows\system32\HcApi.dll
c:\windows\system32\KevlarSigs.dll
.
Completion time: 2012-12-27 21:41:32
ComboFix-quarantined-files.txt 2012-12-28 02:41
ComboFix2.txt 2012-12-25 19:26
ComboFix3.txt 2012-12-24 03:59
ComboFix4.txt 2012-12-13 01:44
ComboFix5.txt 2012-12-28 02:04
.
Pre-Run: 28,286,627,840 bytes free
Post-Run: 28,230,733,824 bytes free
.
- - End Of File - - 2FCD1E2164A55139E7B127A2E8FC1448

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
McAfee SiteAdvisor Enterprise Plus
Malwarebytes Anti-Malware version 1.65.1.1000
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.2.152.26 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````


# AdwCleaner v2.103 - Logfile created 12/27/2012 at 21:49:43
# Updated 25/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - ELEHHP5RG1
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [878 octets] - [24/12/2012 13:31:10]
AdwCleaner[R2].txt - [736 octets] - [27/12/2012 21:49:43]
AdwCleaner[S1].txt - [943 octets] - [24/12/2012 13:32:11]

########## EOF - \AdwCleaner[R2].txt - [854 octets] ##########

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 21:51:09 on 2012-12-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2433 [GMT -5:00]
.
FW: McAfee Host Intrusion Prevention Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\DcPSI.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\1E\Agent\NightWatchman\NwmSvc.exe
C:\Program Files\1E\NomadBranch\NomadBranch.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\1E\Agent\NightWatchman\NWMCLI.EXE
C:\Program Files\Dazel\Output Envoy\bin\DcDaemon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\SppClient.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\CCM\SMSCliUI.exe
C:\Program Files\Viewfinity\Agent\vf_agent.exe
C:\Program Files\Viewfinity\Agent\x32\vf_host.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\enstart.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\SppClient.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\PRINTK~1\PRINTK~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = /
uProxyOverride = <local>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120606150416.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Viewfinity add-on for Internet Explorer (32-bit): {E610F200-F759-4FA1-8CC4-6034F660B022} - c:\program files\viewfinity\agent\x32\vf_bho.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DAZEL Delivery Agent] "c:\program files\dazel\output envoy\bin\DcDaemon.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VfTrayIcon] "c:\program files\viewfinity\agent\x32\vf_host.exe" -trayicon
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Specops Password Client] c:\windows\system32\SppClient.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cybers~1.lnk - c:\program files\cybersafe\bin\CSTBcred32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\printkey 2000.EXE
uPolicies-Explorer: NoSMBalloonTip = dword:1
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-Explorer: NoAutoUpdate = dword:1
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoMSAppLogo5ChannelNotify = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: legalnoticecaption = Legal Notice
mPolicies-Windows\System: ProfileUnloadTimeout = dword:2
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Windows\System: SlowLinkDetectEnabled = dword:0
mPolicies-Windows\System: SlowLinkProfileDefault = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - c:\program files\iespell\wikipedia.HTM
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} -
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxps://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1356372801328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {C63752A5-57DE-4B1A-8174-139505904F0F} - hxxp:///CallParrotWebClient/Public/CallParrotActiveProxy.CAB
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://dnet-i2.dom.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{50BD9923-4B2E-4D30-9FBE-354882671588} : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
Notify: SoPwdClt - SPP3Clt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: <No Name> - {B4870B70-F390-11d2-9FB9-F4ED725EA20D} - c:\windows\system32\NALEXPEX.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {4C941B5A-4CE7-4D2A-9DC4-945906BEBB45} - msiexec.exe /fou {4C941B5A-4CE7-4D2A-9DC4-945906BEBB45} REINSTALL=CurrentUser /qn
mASetup: {B59D1FC5-960F-40AC-A4E2-9FF61E8DF3B3} - msiexec.exe /fou {B59D1FC5-960F-40AC-A4E2-9FF61E8DF3B3} REINSTALL=CurrentUser /qn
mASetup: {E99834E9-F1EB-4F58-B6C8-C2DFEC08881D} - msiexec.exe /fou {E99834E9-F1EB-4F58-B6C8-C2DFEC08881D} REINSTALL=CurrentUser /qn
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-30 475704]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2009-1-15 217024]
R0 ssfs0bbd;ssfs0bbd;c:\windows\system32\drivers\ssfs0bbd.sys [2010-2-17 28936]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2012-2-15 86656]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-6-6 89528]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 vfdrv;vfdrv;c:\windows\system32\drivers\vfdrv.sys [2011-7-13 234216]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 DAZEL Delivery Agent;DAZEL Delivery Agent;DcPSI.exe --> DcPSI.exe [?]
R2 enstart;enstart;c:\windows\system32\enstart.exe [2012-2-15 946176]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2009-6-25 1489984]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2010-5-26 132464]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2011-5-12 324928]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-11-15 132672]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-6-6 166024]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-9-14 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-12-13 159608]
R2 NightWatchman;1E NightWatchman;c:\program files\1e\agent\nightwatchman\NwmSvc.exe [2011-2-28 1110360]
R2 NomadBranch;1E Nomad Branch;c:\program files\1e\nomadbranch\NomadBranch.exe [2012-4-11 1440592]
R2 NwmSleepless;NwmSleepless;c:\windows\system32\drivers\NwmSleepless.sys [2011-12-15 38464]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2009-1-15 621120]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2009-1-15 150080]
R2 VF_Agent;Viewfinity Agent;c:\program files\viewfinity\agent\vf_agent.exe [2012-1-31 15316584]
R2 WakeUpAgt;1E WakeUp Agent;c:\program files\1e\agent\wakeup\WakeUpAgt.exe [2011-2-28 426824]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2009-10-28 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2009-10-28 110384]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2009-10-28 38200]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2009-10-28 35584]
R3 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-10-28 35696]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-6-6 180328]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SSI Survey Client;SSI Survey Client;c:\program files\scalable software\survey\ssi survey client\surveyclientnt.exe --> c:\program files\scalable software\survey\ssi survey client\SurveyClientNT.EXE [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2009-10-28 44680]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;\??\c:\windows\system32\drivers\hitmanpro36.sys --> c:\windows\system32\drivers\hitmanpro36.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-12-18 35144]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-6-6 59192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-6-6 87656]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2010-4-14 32408]
S3 SSI Client Installer;SSI Survey Client Installer Service;c:\windows\system32\SCInstallerNT.exe [2009-8-4 466944]
S3 VF_Updater;Viewfinity Updater;c:\program files\viewfinity\agent\vf_updater.exe [2012-1-31 1473024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-29 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2009-7-20 217600]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2009-7-20 48140]
S4 megasas;megasas;c:\windows\system32\drivers\megasas.sys [2009-7-20 19712]
.
=============== File Associations ===============
.
ShellExec: winaw32.exe: open=c:\program files\symantec\pcanywhere\winaw32.exe
.
=============== Created Last 30 ================
.
2012-12-27 22:50:13 -------- d-----w- c:\program files\ESET
2012-12-25 20:18:13 39816 ----a-w- c:\windows\system32\HIPIS0e011aa.dll
2012-12-24 21:04:06 -------- d-----w- c:\windows\ERUNT
2012-12-24 21:03:45 -------- d-----w- C:\JRT
2012-12-24 21:03:45 -------- d-----w- \JRT
2012-12-24 03:20:57 208896 ----a-w- c:\windows\MBR.exe
2012-12-24 03:20:55 256000 ----a-w- c:\windows\PEV.exe
2012-12-24 03:20:54 98816 ----a-w- c:\windows\sed.exe
2012-12-23 23:22:17 -------- d-----w- c:\program files\InCode Solutions
2012-12-22 22:49:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-22 22:49:25 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-12-19 01:22:15 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-18 16:00:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-12-18 16:00:29 -------- d-----w- c:\windows\system32\wbem\Repository
2012-12-18 15:24:02 39816 ----a-w- c:\windows\system32\HIPIS0e011aa(2)(3).dll
2012-12-14 00:32:59 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-12-14 00:27:29 3430 ----a-w- c:\windows\system32\tmp.reg
2012-12-13 22:33:42 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-12-13 22:04:04 40448 ----a-w- c:\windows\system32\regobj.dll
2012-12-01 22:23:49 -------- d-sha-r- C:\cmdcons
2012-12-01 22:23:49 -------- d-sha-r- \cmdcons
2012-12-01 22:20:05 -------- d-----w- \Qoobox
.
==================== Find3M ====================
.
2012-12-06 07:44:00 143040 ----a-w- c:\windows\system32\KevlarSigs.dll
2012-10-29 20:56:47 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-10-29 20:56:47 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-10-29 20:56:47 159608 ----a-w- c:\windows\system32\mfevtps.exe.25b0.deleteme
2012-10-27 23:44:25 54016 ----a-w- c:\windows\system32\drivers\jqxaocj.sys
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 23:54:34 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 21:51:48.09 ===============

#4 nasdaq

nasdaq

  • Malware Response Team
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 28 December 2012 - 11:27 AM

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

Remove these old version of Flash and Reader using the Add/Remove Programs list if still present.

Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.2.152.26 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!

===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..
===

Please post the logs and let me know what problem persists.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 37,742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 AM

Posted 05 January 2013 - 09:22 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users