Jump to content

MB fails to remove 6 infected files after re-boot


nr800

Recommended Posts

Hello all,

Having read a similar post on this forum I am hoping you will be able to help me out as well.

My laptop got infected with the AntiVirus Pro 2010 "software" the other day. Searching around on how to remove I came across Malwarebytes. Loaded it up and ran it and it appeared to do the job, even removed the feedyard redirect problem. However, it said that 6 objects could not be reomved and would require a reboot, after the re-boot I get a message about not being abble to find calc.dll Running MB again results in the same 6 files still there. So I am back here in the hope you will be able to help me.

The MB log and HijackThis log are below.

Malwarebytes' Anti-Malware 1.41

Database version: 2971

Windows 5.1.2600 Service Pack 2

17/10/2009 18:42:11

mbam-log-2009-10-17 (18-42-03).txt

Scan type: Quick Scan

Objects scanned: 154990

Time elapsed: 1 hour(s), 27 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.

******************************************************

Malwarebytes' Anti-Malware 1.41

Database version: 2971

Windows 5.1.2600 Service Pack 2

17/10/2009 18:42:11

mbam-log-2009-10-17 (18-42-03).txt

Scan type: Quick Scan

Objects scanned: 154990

Time elapsed: 1 hour(s), 27 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.

Link to post
Share on other sites

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Thank you so much for replying, the logs are below:

DDS (Ver_09-10-26.01) - NTFSx86

Run by nr at 18:58:30.78 on 27/10/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.366 [GMT 0:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Outdated) {E3EA54D7-BEAD-4E68-88E4-C92C9399F260}

============== Running Processes ===============

svchost.exe

C:\Program Files\SafeNet ProtectDrive\ClientDM.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\MentorGraphics\2007.5EE\SDD_HOME\iCDB\win32\bin\iCDBNetLauncher.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Rational\ClearCase\bin\lockmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\SafeNet ProtectDrive\storageencryptionservice.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\RightFax\FaxCtrl.exe

C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe

C:\Program Files\SafeNet ProtectDrive\pdtrayicon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\ArcSoft\TotalMedia\TMMonitor.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\SafeNet ProtectDrive\pdencoder.exe

C:\TEMP\KP2CA1.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\nr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uWindow Title = Microsoft Internet Explorer provided by Roke IT

uSearch Bar = hxxp://www.google.co.uk

uInternet Settings,ProxyOverride = <local>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [calc] rundll32.exe c:\docume~1\networ~1\ntuser.dll,_IWMPEvents@0

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\\FaxCtrl.exe

mRun: [smartSync - ScheduleSync] c:\progra~1\mobile~1\smarts~1\SCHEDU~1.EXE

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [CCDoctorLogonTesting] "c:\program files\rational\clearcase\bin\ccdoctor.exe" /LogonStartup

mRun: [AS00_WN511B] c:\program files\netgear\wn511b\utility\WN511B.exe -hide

mRun: [CrypWarning] "c:\program files\safenet protectdrive\chkcryp.exe"

mRun: [pdtrayicon] "c:\program files\safenet protectdrive\pdtrayicon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia\TMMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: nationet.com\olb2

Trusted Zone: roke.co.uk\as-ankara.sapnet.ad

Trusted Zone: roke.co.uk\as-delhi.sapnet.ad

Trusted Zone: roke.co.uk\www

Trusted Zone: siemens.com

Trusted Zone: siemens.com\intranet

Trusted Zone: streamsend.com\app

Trusted Zone: roke.co.uk\as-ankara.sapnet.ad

Trusted Zone: roke.co.uk\as-delhi.sapnet.ad

Trusted Zone: roke.co.uk\www

Trusted Zone: siemens.com\intranet

Trusted Zone: streamsend.com\app

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://rmrlvpn.roke.co.uk/dana-cached/setup/NeoterisSetup.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204333648515

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204333601531

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: ccnotify - c:\program files\rational\bin\ccnotify.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nr\applic~1\mozilla\firefox\profiles\hq216n2j.default\

FF - prefs.js: browser.startup.homepage - hxxps://intranet1.roke.co.uk/portal/

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R0 e_dasdf$;e_dasdf$;c:\windows\system32\drivers\ted.sys [2007-8-13 248448]

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-7-8 34176]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-9-23 28544]

R0 pdac;ProtectDrive Access Control Filter Driver;c:\windows\system32\drivers\pdAC.sys [2007-8-13 14208]

R0 pded;ProtectDrive Encryption Filter Driver;c:\windows\system32\drivers\pded.sys [2007-8-13 140800]

R0 pdefs;pdefs;c:\windows\system32\drivers\pdefs.sys [2004-6-8 8064]

R0 SafeCgx;SafeCgx;c:\windows\system32\drivers\SafeCgx.sys [2006-9-25 480318]

R2 ClientDataManager;Client Data Manager;c:\program files\safenet protectdrive\ClientDM.exe [2007-8-13 352256]

R2 EESessionManager;Remote Server Configuration Manager;c:\mentorgraphics\2007.5ee\sdd_home\icdb\win32\bin\iCDBNetLauncher.exe [2009-9-10 1396736]

R2 StorageEncryptionService;Storage Encryption Service;c:\program files\safenet protectdrive\storageencryptionservice.exe [2007-8-13 397426]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-3-27 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-3-27 36368]

R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-7-8 16194]

R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2006-11-15 4864]

R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2005-5-9 507016]

S2 Albd;Atria Location Broker;c:\program files\rational\clearcase\bin\albd_server.exe [2005-5-17 176016]

S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [2008-10-12 14592]

S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [2008-10-12 18944]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-31 652552]

=============== Created Last 30 ================

2009-10-27 18:58:29 0 d-----w- c:\temp\5EF.tmp

2009-10-20 19:30:06 296224 ----a-w- c:\temp\KP2CA1.EXE

2009-10-20 19:30:04 25088 --sha-w- c:\windows\system32\calc.dll

2009-10-20 19:30:04 0 d-----w- c:\temp\WPDNSE

2009-10-20 19:29:48 16384 ----atw- c:\temp\Perflib_Perfdata_7c4.dat

2009-10-15 18:12:06 25088 --sha-w- c:\documents and settings\nr\ntuser.dll

2009-10-13 18:53:16 0 d-----w- c:\docume~1\nr\applic~1\Malwarebytes

2009-10-13 18:52:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-13 18:52:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-13 18:52:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-10-13 18:52:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-11 11:49:23 0 d-----w- c:\temp\10111249000014449kk8cmksmn

2009-10-11 11:49:18 0 d-----w- c:\temp\1011124900001444kmtowdsp71

2009-10-11 11:49:07 0 d-----w- c:\temp\1011124900001444ycfm8wym4c

2009-10-11 11:48:42 0 d-----w- c:\temp\1011124800001444uxnkmb0gft

2009-10-11 11:48:35 0 d-----w- c:\temp\1011124800001444fq5hjagie5

2009-10-11 11:48:29 0 d-----w- c:\temp\101112480000144442fo73rkgj

2009-10-11 11:48:16 0 d-----w- c:\temp\1011124800001444h1memlfxya

2009-10-11 11:48:07 0 d-----w- c:\temp\1011124800001444p6h0u7ugku

2009-10-11 11:46:31 0 d-----w- c:\temp\1011124600001444vdpdqydx37

2009-10-11 11:45:47 0 d-----w- c:\temp\1011124500001444wgiq2df5nr

2009-10-11 11:45:13 0 d-----w- c:\temp\10111245000014441o9u4tewad

2009-10-11 11:41:19 100 ----a-w- c:\windows\WININIT.INI

2009-10-11 11:24:43 19594 ----a-w- c:\windows\kiqy._dl

2009-10-11 11:24:43 10367 ----a-w- c:\program files\common files\ujogewy.com

2009-10-11 11:24:42 19068 ----a-w- c:\windows\nyvocuk.dl

2009-10-11 11:24:42 19027 ----a-w- c:\windows\system32\abatepako.bat

2009-10-11 11:24:42 17675 ----a-w- c:\windows\xawaz.lib

2009-10-11 11:24:42 16400 ----a-w- c:\windows\xupunasim.db

2009-10-11 11:24:42 15943 ----a-w- c:\windows\opufede._dl

2009-10-10 22:48:53 16384 ----atw- c:\temp\Perflib_Perfdata_ac.dat

2009-10-06 20:10:43 0 d-----w- c:\temp\VBE

2009-10-06 19:40:34 0 d-----w- c:\temp\1006204000000e24ayz72ofxgw

2009-10-06 19:39:48 0 d-----w- c:\temp\1006203900000e24fdh860453c

2009-10-06 19:38:36 0 d-----w- c:\temp\1006203800000e24clhbc4ycwa

2009-10-06 19:38:22 0 d-----w- c:\temp\1006203800000e24jj3bfoqv79

2009-10-06 19:36:46 0 d-----w- c:\temp\1006203600000e24pgh8uurd7i

2009-10-06 19:36:28 0 d-----w- c:\program files\Microsoft

2009-10-06 19:36:22 0 d-----w- c:\temp\1006203600000e24cbvpcz20sg

2009-10-06 19:36:08 0 d-----w- c:\temp\1006203600000e246c6o20v70l

2009-10-03 15:59:13 0 d-----w- c:\temp\MessengerCache

2009-10-03 15:57:14 16384 ----atw- c:\temp\Perflib_Perfdata_764.dat

2009-09-30 11:52:38 3136 ----a-w- c:\temp\ExchangePerflog_8484fa3123887facbb50682b.dat

==================== Find3M ====================

2009-10-11 11:24:42 15761 ----a-w- c:\program files\common files\ajefepov.db

2009-10-03 18:07:22 77791 ----a-w- c:\windows\fonts\AdobeFnt07.lst

2009-09-06 14:36:02 37 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences.dat

2009-09-06 14:18:56 45 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences2.dat

2003-06-19 11:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll

============= FINISH: 18:58:54.50 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 15/11/2006 17:34:54

System Uptime: 22/10/2009 20:22:11 (118 hours ago)

Motherboard: FUJITSU | | FJNB1AF

Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Onboard | 1662/167mhz

Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Onboard | 1662/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 29.242 GiB free.

E: is CDROM ()

M: is NetworkDisk (MVFS) - 1 GiB total, 0.488 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat 6.0 Standard

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Flash Player 10 ActiveX

Adobe Shockwave Player 11

Agere Systems HDA Modem

ArcSoft TotalMedia

AttachmentOptions

AutoIt v3.3.0.0

AWR Design Environment 2006 (7.03.3161.2)

CCleaner (remove only)

ErgChatter

FileZilla Client 3.2.2.1

FinePixViewer Resource

FinePixViewer Ver.5.1

FUJIFILM USB Driver

FWCV_4306_4320_VR002

Garmin Communicator Plugin

Garmin USB Drivers

GC-Prevue

GC-Prevue 17.1.2

GW2ODB Translator

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB896256)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB935448)

Hotfix for Windows XP (KB954708)

ImageMixer VCD2 LE for FinePix

Intel® Graphics Media Accelerator Driver

InterVideo WinDVD

Java 6 Update 11

Juniper Networks Host Checker

Juniper Networks Network Connect 5.0.0

LogCard Utility

Malwarebytes' Anti-Malware

Mathcad 2000 Professional

Memory-Map OS Edition Version 5

Mentor Graphics Products

MGC Visual Studio 7 Runtime

Microsoft .NET Framework 2.0

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft Office Visio Standard 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual SourceSafe NetSetup

Mobile Modem Assistant

Mobile Phone Manager

Mozilla Firefox (3.0.8)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

Nero Suite

O2Micro Flash Memory Card Windows Driver

O2Micro Smartcard Driver

OKI ADPCM Driver

PDFCreator

Pertmaster v7.81

PM3 Flash Update Utility

PM3 Venue Race Application

PMI

PMI (C:\Program Files\PMTextCtl\)

RangeMax NEXT Wireless Notebook Adapter WN511B

Ranger Outpost Remote Client

Rational ClearCase

RAW FILE CONVERTER LE

Realtek High Definition Audio Driver

RFClient

SafeNet ProtectDrive

Security Update for Microsoft .NET Framework 2.0 (KB928365)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937143)

Security Update for Windows XP (KB937894)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB939653)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB942615)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944533)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958470)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971032)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB973346)

SmartSync

SMS Advanced Client

SoftPlot Measurement Presentation V6.0

SoftPlot Measurement Presentation V7.0

Synaptics Pointing Device Driver

TortoiseSVN 1.6.3.16613 (32 bit)

Trend Micro OfficeScan Client

Unified Messaging for Microsoft Exchange

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB930916)

Update for Windows XP (KB932823-v3)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB967715)

VNC Free Edition 4.1.3

WebFldrs XP

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Hotfix - KB883667

WinRAR archiver

WinZip

==== Event Viewer Messages From Past Week ========

20/10/2009 20:29:56, error: Service Control Manager [7000] - The DS1410D service failed to start due to the following error: The system cannot find the file specified.

20/10/2009 17:49:30, error: NETLOGON [5719] - No Domain Controller is available for domain COMM due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

Link to post
Share on other sites

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Link to post
Share on other sites

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

THanks Blade81

Combofix log followed by new DDS log and zipped attach.txt

ComboFix 09-10-26.06 - nr 27/10/2009 21:25.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.344 [GMT 0:00]

Running from: c:\documents and settings\nr\Desktop\ComboFix.exe

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E3EA54D7-BEAD-4E68-88E4-C92C9399F260}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\All Users\Documents\tazo.dll

c:\documents and settings\NetworkService\ntuser.dll

c:\documents and settings\nr\Application Data\iniasd.txt

c:\documents and settings\nr\Application Data\rarej.ban

c:\documents and settings\nr\Cookies\gicedyki.db

c:\documents and settings\nr\Local Settings\Application Data\ewuqymiqa.dll

c:\documents and settings\nr\Local Settings\Application Data\ziwo.sys

c:\documents and settings\nr\ntuser.dll

c:\documents and settings\nr\Start Menu\Programs\Startup\scandisk.dll

c:\documents and settings\nr\Start Menu\Programs\Startup\scandisk.lnk

c:\program files\Common Files\ujogewy.com

c:\windows\kiqy._dl

c:\windows\nyvocuk.dl

c:\windows\opufede._dl

c:\windows\system32\abatepako.bat

c:\windows\system32\calc.dll

c:\windows\system32\dumphive.exe

c:\windows\system32\hf6xi0g.dll

c:\windows\system32\Process.exe

c:\windows\system32\prsgrc.dll

c:\windows\system32\SrchSTS.exe

c:\windows\system32\VCCLSID.exe

----- BITS: Possible infected sites -----

hxxp://wsus.comm.ad.roke.co.uk:8530

hxxp://US-MEDFORD:80

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SYSTEM

((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))

.

2009-10-27 21:35 . 2009-10-27 21:35 -------- d-----w- c:\temp\WPDNSE

2009-10-27 21:35 . 2009-05-13 11:16 296224 ----a-w- c:\temp\DC2720.EXE

2009-10-27 21:34 . 2009-10-27 21:34 16384 ----atw- c:\temp\Perflib_Perfdata_780.dat

2009-10-13 18:53 . 2009-10-13 18:53 -------- d-----w- c:\documents and settings\nr\Application Data\Malwarebytes

2009-10-13 18:52 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-13 18:52 . 2009-10-13 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-13 18:52 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-13 18:52 . 2009-10-13 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-11 11:49 . 2009-10-27 21:30 -------- d-----w- c:\temp\10111249000014449kk8cmksmn

2009-10-11 11:49 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124900001444kmtowdsp71

2009-10-11 11:49 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124900001444ycfm8wym4c

2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444uxnkmb0gft

2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444fq5hjagie5

2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\101112480000144442fo73rkgj

2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444h1memlfxya

2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444p6h0u7ugku

2009-10-11 11:46 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124600001444vdpdqydx37

2009-10-11 11:45 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124500001444wgiq2df5nr

2009-10-11 11:45 . 2009-10-27 21:30 -------- d-----w- c:\temp\10111245000014441o9u4tewad

2009-10-06 20:10 . 2009-10-27 21:30 -------- d-----w- c:\temp\VBE

2009-10-06 19:40 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006204000000e24ayz72ofxgw

2009-10-06 19:39 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203900000e24fdh860453c

2009-10-06 19:38 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203800000e24clhbc4ycwa

2009-10-06 19:38 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203800000e24jj3bfoqv79

2009-10-06 19:36 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203600000e24pgh8uurd7i

2009-10-06 19:36 . 2009-10-06 19:36 -------- d-----w- c:\program files\Microsoft

2009-10-06 19:36 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203600000e24cbvpcz20sg

2009-10-06 19:36 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203600000e246c6o20v70l

2009-10-03 15:59 . 2009-10-27 21:30 -------- d-----w- c:\temp\MessengerCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-17 17:43 . 2006-11-15 16:04 -------- d-----w- c:\program files\Trend Micro

2009-10-11 12:00 . 2007-12-16 22:05 -------- d-----w- c:\program files\Windows Live

2009-10-11 11:43 . 2009-07-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-10-11 11:43 . 2007-07-16 19:15 -------- d-----w- c:\program files\Yahoo!

2009-10-11 11:41 . 2006-11-15 15:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-11 11:24 . 2009-10-11 11:24 15761 ----a-w- c:\program files\Common Files\ajefepov.db

2009-10-10 17:32 . 2009-03-17 17:46 -------- d-----w- c:\program files\Microsoft Silverlight

2009-10-02 10:09 . 2006-11-17 22:29 -------- d-----w- c:\documents and settings\nr\Application Data\AdobeUM

2009-09-10 13:11 . 2007-08-22 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\mgc

2009-09-10 13:09 . 2006-11-15 15:46 -------- d-----w- c:\program files\Common Files\InstallShield

2009-09-06 14:36 . 2009-08-30 22:16 37 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences.dat

2009-09-06 14:18 . 2009-09-05 11:46 45 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences2.dat

2009-09-04 23:15 . 2006-11-29 18:05 56696 ----a-w- c:\documents and settings\nr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2003-06-19 11:05 . 2003-06-19 11:05 431888 --s-a-w- c:\program files\Common Files\riched20.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-05 761946]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-05-13 718120]

"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2004-05-20 110592]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"CCDoctorLogonTesting"="c:\program files\Rational\ClearCase\bin\ccdoctor.exe" [2003-09-26 126976]

"AS00_WN511B"="c:\program files\NETGEAR\WN511B\Utility\WN511B.exe" [2006-04-20 1413241]

"CrypWarning"="c:\program files\SafeNet ProtectDrive\chkcryp.exe" [2007-08-13 77824]

"pdtrayicon"="c:\program files\SafeNet ProtectDrive\pdtrayicon.exe" [2007-08-13 126976]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-12-09 15691264]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-17 88365]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-11-26 282624]

TMMonitor.lnk - c:\program files\ArcSoft\TotalMedia\TMMonitor.exe [2008-10-12 147456]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-15 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Concept2\\Venue Race Application\\PM3VenueRace.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

R0 e_dasdf$;e_dasdf$;c:\windows\system32\drivers\ted.sys [13/08/2007 10:01 248448]

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [08/07/2005 14:06 34176]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [23/09/2005 07:48 28544]

R0 pdac;ProtectDrive Access Control Filter Driver;c:\windows\system32\drivers\pdAC.sys [13/08/2007 10:01 14208]

R0 pded;ProtectDrive Encryption Filter Driver;c:\windows\system32\drivers\pded.sys [13/08/2007 10:02 140800]

R0 pdefs;pdefs;c:\windows\system32\drivers\pdefs.sys [08/06/2004 19:08 8064]

R0 SafeCgx;SafeCgx;c:\windows\system32\drivers\SafeCgx.sys [25/09/2006 09:38 480318]

R2 EESessionManager;Remote Server Configuration Manager;c:\mentorgraphics\2007.5EE\SDD_HOME\iCDB\win32\bin\iCDBNetLauncher.exe [10/09/2009 12:44 1396736]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [27/03/2009 18:16 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [27/03/2009 18:16 36368]

R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [08/07/2007 18:50 16194]

R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [15/11/2006 15:45 4864]

R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [09/05/2005 12:39 507016]

S2 Albd;Atria Location Broker;c:\program files\Rational\ClearCase\bin\albd_server.exe [17/05/2005 21:13 176016]

S2 ClientDataManager;Client Data Manager;c:\program files\SafeNet ProtectDrive\ClientDM.exe [13/08/2007 10:10 352256]

S2 StorageEncryptionService;Storage Encryption Service;c:\program files\SafeNet ProtectDrive\storageencryptionservice.exe [13/08/2007 10:12 397426]

S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [12/10/2008 09:53 14592]

S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [12/10/2008 09:53 18944]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [31/10/2008 14:46 652552]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Trusted Zone: nationet.com\olb2

Trusted Zone: roke.co.uk\as-ankara.sapnet.ad

Trusted Zone: roke.co.uk\as-delhi.sapnet.ad

Trusted Zone: roke.co.uk\www

Trusted Zone: siemens.com

Trusted Zone: siemens.com\intranet

Trusted Zone: streamsend.com\app

Trusted Zone: roke.co.uk\as-ankara.sapnet.ad

Trusted Zone: roke.co.uk\as-delhi.sapnet.ad

Trusted Zone: roke.co.uk\www

Trusted Zone: siemens.com\intranet

Trusted Zone: streamsend.com\app

FF - ProfilePath - c:\documents and settings\nr\Application Data\Mozilla\Firefox\Profiles\hq216n2j.default\

FF - prefs.js: browser.startup.homepage - hxxps://intranet1.roke.co.uk/portal/

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe

Notify-ccnotify - c:\program files\Rational\bin\ccnotify.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-27 21:40

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)

c:\program files\SafeNet ProtectDrive\pcvgina.dll

c:\program files\SafeNet ProtectDrive\pdproduct.dll

c:\program files\SafeNet ProtectDrive\EACS.dll

c:\program files\SafeNet ProtectDrive\cgxapi.dll

c:\windows\system32\SafeCgx.dll

c:\program files\SafeNet ProtectDrive\poieventlog.dll

c:\program files\SafeNet ProtectDrive\EVER.dll

c:\program files\Rational\ClearCase\bin\ccasenp.dll

c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll

c:\program files\SafeNet ProtectDrive\localstoremanager.dll

c:\program files\SafeNet ProtectDrive\baseds.dll

c:\program files\SafeNet ProtectDrive\clientuserstore.dll

c:\program files\SafeNet ProtectDrive\userstore.dll

c:\program files\SafeNet ProtectDrive\userstoreloadersaver.dll

c:\program files\SafeNet ProtectDrive\serverstore.dll

c:\program files\SafeNet ProtectDrive\XercesLib.dll

c:\program files\SafeNet ProtectDrive\usermanagement.dll

c:\program files\SafeNet ProtectDrive\SsoHook.dll

- - - - - - - > 'lsass.exe'(740)

c:\program files\Rational\ClearCase\bin\ccasenp.dll

c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll

- - - - - - - > 'explorer.exe'(3348)

c:\windows\system32\WININET.dll

c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

c:\program files\TortoiseSVN\bin\TortoiseStub.dll

c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

c:\program files\TortoiseSVN\bin\intl3_tsvn.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Rational\ClearCase\bin\ccasenp.dll

c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Rational\ClearCase\bin\lockmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe

c:\windows\system32\o2flash.exe

c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe

c:\program files\RealVNC\VNC4\WinVNC4.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\msiexec.exe

c:\combofix\CF29083.exe

c:\program files\TortoiseSVN\bin\TSVNCache.exe

c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

c:\temp\DC2720.EXE

c:\program files\RightFax\FaxCtrl.exe

c:\combofix\PEV.cfxxe

.

**************************************************************************

.

Completion time: 2009-10-27 21:41 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-27 21:40

Pre-Run: 31,309,975,552 bytes free

Post-Run: 31,320,522,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1F844E20DF2051F52582E6CB3DD9A3E2

DDS (Ver_09-10-26.01) - NTFSx86

Run by nr at 21:48:37.64 on 27/10/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.475 [GMT 0:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Outdated) {E3EA54D7-BEAD-4E68-88E4-C92C9399F260}

============== Running Processes ===============

svchost.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\MentorGraphics\2007.5EE\SDD_HOME\iCDB\win32\bin\iCDBNetLauncher.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Rational\ClearCase\bin\lockmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\TEMP\DC2720.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\RightFax\FaxCtrl.exe

C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\ArcSoft\TotalMedia\TMMonitor.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\nr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow

mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\\FaxCtrl.exe

mRun: [smartSync - ScheduleSync] c:\progra~1\mobile~1\smarts~1\SCHEDU~1.EXE

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [CCDoctorLogonTesting] "c:\program files\rational\clearcase\bin\ccdoctor.exe" /LogonStartup

mRun: [AS00_WN511B] c:\program files\netgear\wn511b\utility\WN511B.exe -hide

mRun: [CrypWarning] "c:\program files\safenet protectdrive\chkcryp.exe"

mRun: [pdtrayicon] "c:\program files\safenet protectdrive\pdtrayicon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia\TMMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: nationet.com\olb2

Trusted Zone: roke.co.uk\as-ankara.sapnet.ad

Trusted Zone: roke.co.uk\as-delhi.sapnet.ad

Trusted Zone: roke.co.uk\www

Trusted Zone: siemens.com

Trusted Zone: siemens.com\intranet

Trusted Zone: streamsend.com\app

Trusted Zone: roke.co.uk\as-ankara.sapnet.ad

Trusted Zone: roke.co.uk\as-delhi.sapnet.ad

Trusted Zone: roke.co.uk\www

Trusted Zone: siemens.com\intranet

Trusted Zone: streamsend.com\app

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://rmrlvpn.roke.co.uk/dana-cached/setup/NeoterisSetup.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204333648515

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204333601531

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nr\applic~1\mozilla\firefox\profiles\hq216n2j.default\

FF - prefs.js: browser.startup.homepage - hxxps://intranet1.roke.co.uk/portal/

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R0 e_dasdf$;e_dasdf$;c:\windows\system32\drivers\ted.sys [2007-8-13 248448]

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-7-8 34176]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-9-23 28544]

R0 pdac;ProtectDrive Access Control Filter Driver;c:\windows\system32\drivers\pdAC.sys [2007-8-13 14208]

R0 pded;ProtectDrive Encryption Filter Driver;c:\windows\system32\drivers\pded.sys [2007-8-13 140800]

R0 pdefs;pdefs;c:\windows\system32\drivers\pdefs.sys [2004-6-8 8064]

R0 SafeCgx;SafeCgx;c:\windows\system32\drivers\SafeCgx.sys [2006-9-25 480318]

R2 EESessionManager;Remote Server Configuration Manager;c:\mentorgraphics\2007.5ee\sdd_home\icdb\win32\bin\iCDBNetLauncher.exe [2009-9-10 1396736]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-3-27 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-3-27 36368]

R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-7-8 16194]

R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2006-11-15 4864]

R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2005-5-9 507016]

S2 Albd;Atria Location Broker;c:\program files\rational\clearcase\bin\albd_server.exe [2005-5-17 176016]

S2 ClientDataManager;Client Data Manager;c:\program files\safenet protectdrive\ClientDM.exe [2007-8-13 352256]

S2 StorageEncryptionService;Storage Encryption Service;c:\program files\safenet protectdrive\storageencryptionservice.exe [2007-8-13 397426]

S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [2008-10-12 14592]

S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [2008-10-12 18944]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-31 652552]

=============== Created Last 30 ================

2009-10-27 21:48:37 0 d-----w- c:\temp\3.tmp

2009-10-27 21:40:27 0 d-----w- c:\temp\WPDNSE

2009-10-27 21:35:03 296224 ----a-w- c:\temp\DC2720.EXE

2009-10-27 21:34:19 16384 ----atw- c:\temp\Perflib_Perfdata_780.dat

2009-10-27 21:24:38 0 d-sha-r- C:\cmdcons

2009-10-27 21:21:51 98816 ----a-w- c:\windows\sed.exe

2009-10-27 21:21:51 77312 ----a-w- c:\windows\MBR.exe

2009-10-27 21:21:51 236544 ----a-w- c:\windows\PEV.exe

2009-10-27 21:21:51 161792 ----a-w- c:\windows\SWREG.exe

2009-10-13 18:53:16 0 d-----w- c:\docume~1\nr\applic~1\Malwarebytes

2009-10-13 18:52:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-13 18:52:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-13 18:52:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-10-13 18:52:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-11 11:49:23 0 d-----w- c:\temp\10111249000014449kk8cmksmn

2009-10-11 11:49:18 0 d-----w- c:\temp\1011124900001444kmtowdsp71

2009-10-11 11:49:07 0 d-----w- c:\temp\1011124900001444ycfm8wym4c

2009-10-11 11:48:42 0 d-----w- c:\temp\1011124800001444uxnkmb0gft

2009-10-11 11:48:35 0 d-----w- c:\temp\1011124800001444fq5hjagie5

2009-10-11 11:48:29 0 d-----w- c:\temp\101112480000144442fo73rkgj

2009-10-11 11:48:16 0 d-----w- c:\temp\1011124800001444h1memlfxya

2009-10-11 11:48:07 0 d-----w- c:\temp\1011124800001444p6h0u7ugku

2009-10-11 11:46:31 0 d-----w- c:\temp\1011124600001444vdpdqydx37

2009-10-11 11:45:47 0 d-----w- c:\temp\1011124500001444wgiq2df5nr

2009-10-11 11:45:13 0 d-----w- c:\temp\10111245000014441o9u4tewad

2009-10-11 11:41:19 100 ----a-w- c:\windows\WININIT.INI

2009-10-11 11:24:42 17675 ----a-w- c:\windows\xawaz.lib

2009-10-11 11:24:42 16400 ----a-w- c:\windows\xupunasim.db

2009-10-06 20:10:43 0 d-----w- c:\temp\VBE

2009-10-06 19:40:34 0 d-----w- c:\temp\1006204000000e24ayz72ofxgw

2009-10-06 19:39:48 0 d-----w- c:\temp\1006203900000e24fdh860453c

2009-10-06 19:38:36 0 d-----w- c:\temp\1006203800000e24clhbc4ycwa

2009-10-06 19:38:22 0 d-----w- c:\temp\1006203800000e24jj3bfoqv79

2009-10-06 19:36:46 0 d-----w- c:\temp\1006203600000e24pgh8uurd7i

2009-10-06 19:36:28 0 d-----w- c:\program files\Microsoft

2009-10-06 19:36:22 0 d-----w- c:\temp\1006203600000e24cbvpcz20sg

2009-10-06 19:36:08 0 d-----w- c:\temp\1006203600000e246c6o20v70l

2009-10-03 15:59:13 0 d-----w- c:\temp\MessengerCache

==================== Find3M ====================

2009-10-11 11:24:42 15761 ----a-w- c:\program files\common files\ajefepov.db

2009-10-03 18:07:22 77791 ----a-w- c:\windows\fonts\AdobeFnt07.lst

2009-09-06 14:36:02 37 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences.dat

2009-09-06 14:18:56 45 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences2.dat

2003-06-19 11:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll

============= FINISH: 21:48:52.78 ===============

Attach.zip

Link to post
Share on other sites

Hi again,

Upload following file to http://www.virustotal.com and post back the results:

c:\windows\system32\drivers\ted.sys

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\ajefepov.db
c:\temp\3.tmp
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Folder::
c:\temp\10111249000014449kk8cmksmn
c:\temp\1011124900001444kmtowdsp71
c:\temp\1011124900001444ycfm8wym4c
c:\temp\1011124800001444uxnkmb0gft
c:\temp\1011124800001444fq5hjagie5
c:\temp\101112480000144442fo73rkgj
c:\temp\1011124800001444h1memlfxya
c:\temp\1011124800001444p6h0u7ugku
c:\temp\1011124600001444vdpdqydx37
c:\temp\1011124500001444wgiq2df5nr
c:\temp\10111245000014441o9u4tewad
c:\temp\1006204000000e24ayz72ofxgw
c:\temp\1006203900000e24fdh860453c
c:\temp\1006203800000e24clhbc4ycwa
c:\temp\1006203800000e24jj3bfoqv79
c:\temp\1006203600000e24pgh8uurd7i
c:\temp\1006203600000e24cbvpcz20sg
c:\temp\1006203600000e246c6o20v70l

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 16.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner

Link to post
Share on other sites

Hi again,

Upload following file to http://www.virustotal.com and post back the results:

c:\windows\system32\drivers\ted.sys

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\ajefepov.db
c:\temp\3.tmp
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Folder::
c:\temp\10111249000014449kk8cmksmn
c:\temp\1011124900001444kmtowdsp71
c:\temp\1011124900001444ycfm8wym4c
c:\temp\1011124800001444uxnkmb0gft
c:\temp\1011124800001444fq5hjagie5
c:\temp\101112480000144442fo73rkgj
c:\temp\1011124800001444h1memlfxya
c:\temp\1011124800001444p6h0u7ugku
c:\temp\1011124600001444vdpdqydx37
c:\temp\1011124500001444wgiq2df5nr
c:\temp\10111245000014441o9u4tewad
c:\temp\1006204000000e24ayz72ofxgw
c:\temp\1006203900000e24fdh860453c
c:\temp\1006203800000e24clhbc4ycwa
c:\temp\1006203800000e24jj3bfoqv79
c:\temp\1006203600000e24pgh8uurd7i
c:\temp\1006203600000e24cbvpcz20sg
c:\temp\1006203600000e246c6o20v70l

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 16.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner

ComboFix.txt

KAS.txt

Attach_20091029.txt

DDS_20091029.txt

Link to post
Share on other sites

Hi again Nigel,

If you're using Adobe Acrobat only to print PDFs then I'd recommend to get a free and less vulnerable option. If you use it for more than that then you should upgrade to latter version since version 6 is badly outdated and open to different exploits making your system vulnerable.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

How's the system running now?

Link to post
Share on other sites

Hi again Nigel,

If you're using Adobe Acrobat only to print PDFs then I'd recommend to get a free and less vulnerable option. If you use it for more than that then you should upgrade to latter version since version 6 is badly outdated and open to different exploits making your system vulnerable.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

How's the system running now?

Hi there,

Adobe acrobat does get used for more than just straightforward pdf-ing - will have to sort out an update for it.

Have loaded the version of shockwave you pointed me to.

THe system is ruuning ok now, I am not getting any odd error messages and the installed virus checker doesnt find anything. Thank you so much for your help. Is there anything else I should do now, do I need to un-install/delete any programmes such as the Windows Recovery Console and if so how do I do this.

Cheers

Nigel

Link to post
Share on other sites

Hi,

Recovery console may come handy if system becomes unbootable. I'd leave it installed and that's what ComboFix author also meant.

Is Trend Micro Antivirus license still valid? According to the logs definitions set hasn't been updated lately.

Link to post
Share on other sites

Good. Then there's ComboFix uninstalling left (following instructions assume you still have ComboFix.exe on your desktop).

  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

Combo Fix now uninstalled, thank you very much for all your help

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.