Jump to content

Google search popups / redirects


Recommended Posts

Working on a remote user's computer. When she clicks on any link in a google search she gets popups for spam sites (for example "http://and2.2740.expand-search-goals.com/jump1/?affiliate=and2&subid=2740&terms=microsoft.com&sid=Z050044430%40EzX3kDO0UTNy81MyEjMfNTYfNTNy8VMxcjM3cTO5ITM&a=naq6&mr=1&rc=0") and no actiivity on the original search window

I have replaced the hosts file with a modified version that blocks these sites but am still concerned about what else this infection may be doing.

The system is running Mcafee with current DAT files.

I have run a number of utilities to attempt to remove this infection, this includes Malwarebytes, Combofix, Kasperky TDSSKiller,

Kaspersky Virus Removal Tool, Spyware Doctor. Malwarebytes detects RAdmin (which I am using to remote the machine) but no actual detections. Combofix likewise detects and deletes Radmin but seems to find nothing else. None of the other utilities detect anything at all. Below are the DDS and Combofix logs. Attached are the attach.txt from DDS as well as the mbam and tdskiller logs. I will upload the GMer log as soon as it is finished. Thank you in advance.

****************************************************************DDS Log:*****************************************************************

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by CullinanK at 10:32:18.01 on Thu 03/10/2011

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.141 [GMT -5:00]

.

.

============== Running Processes ===============

.

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Courion Corporation\Enterprise Provisioning Suite DIRECT!\direct.exe

C:\WINDOWS\UTLite33.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Lotus\notes\NLNOTES.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Lotus\notes\ntaskldr.EXE

C:\Program Files\Mohawk VPN Client\vpngui.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\temp\dds.com

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = hxxp://inet2.mohawkind.com/portal/site/inet/template.PAGE/menuitem.1c8a11f698a14ba1cee635100c0320a0/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"

mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"

mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN

mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [DIRECT!] c:\program files\courion corporation\enterprise provisioning suite direct!\direct.exe

mRun: [Cisco Works] c:\windows\UTLite33.exe -domain mohawk.com -host ciscoworks.mohawk.com -port 16236

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mohawk~1.lnk - c:\program files\mohawk vpn client\vpngui.exe

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

uPolicies-system: NoDispScrSavPage = 1 (0x1)

mPolicies-system: MaxGPOScriptWait = 90 (0x5a)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

Trusted Zone: amphire.net \commerce

Trusted Zone: int.grp

Trusted Zone: int.grp\*.na

Trusted Zone: int.grp\*.uni

Trusted Zone: int.grp\tufting.na

Trusted Zone: microsoft.com\sftus.one

Trusted Zone: mohawk.com

Trusted Zone: mohawk.com\d01app03

Trusted Zone: mohawk.com\daltile

Trusted Zone: mohawk.com\mhkhome

Trusted Zone: mohawk.com\michgscrs01

Trusted Zone: mohawk.com\mohawkshare

Trusted Zone: mohawk.com\projects

Trusted Zone: mohawk.com \flooring

Trusted Zone: mohawkind.com

Trusted Zone: mohawkind.com\daltile

Trusted Zone: mohawkind.com\dublin

Trusted Zone: mohawkind.com\flooring

Trusted Zone: mohawkind.com\mhkhome

Trusted Zone: mohawkind.com \mohawkshare

Trusted Zone: mohawktraining.com

Trusted Zone: mohawkuniversity.com

Trusted Zone: mohawkuniversity.net

Trusted Zone: puresafety.com

Trusted Zone: skillport.com

Trusted Zone: unilin.com

Trusted Zone: virtualpremise.com

Trusted Zone: worksafelivesafe.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {613FFCA3-8ABC-11D2-A99B-400010000124} - hxxp://midgs17.mohawk.com/core/sskeys.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118927839250

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128003075671

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.4352314815

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {6A2720C9-4721-4AA1-A14F-68CC22F6BB25} = 10.10.1.155,10.11.0.17

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-11 344712]

R2 CISMBIOS;CISMBIOS;c:\windows\system32\drivers\cismbios.sys [2010-9-10 14848]

R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2010-3-11 14336]

R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2010-3-11 5120]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-11 91896]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-11 43192]

R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2010-3-11 6144]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2005-4-15 31424]

R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-4-7 189792]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [2004-3-25 30775]

S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [2004-5-10 281600]

S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\windows\system32\drivers\cwbmidi.sys [2004-3-22 3072]

S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [2004-3-22 72832]

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2004-5-10 55999]

S3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-6 59328]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-14 66536]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [2001-8-17 9344]

S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [2004-5-10 701386]

.

=============== Created Last 30 ================

.

2011-03-10 15:30:30 625664 ----a-w- c:\temp\dds.com

2011-03-10 15:23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-10 15:23:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-10 14:25:57 90112 ----a-w- c:\windows\system32\admdll.dll

2011-03-09 19:40:00 -------- d-sha-r- C:\cmdcons

2011-03-09 19:31:29 89088 ----a-w- c:\windows\MBR.exe

2011-03-09 19:30:48 256512 ----a-w- c:\windows\PEV.exe

2011-03-09 19:30:47 161792 ----a-w- c:\windows\SWREG.exe

2011-03-09 19:30:45 98816 ----a-w- c:\windows\sed.exe

2011-03-09 18:38:10 4284225 ----a-r- c:\temp\ComboFix.exe

2011-03-09 18:16:44 -------- d-----w- c:\docume~1\cullin~1\locals~1\applic~1\Threat Expert

2011-03-09 17:50:32 -------- d-----w- c:\program files\PC Tools Security

2011-03-09 17:43:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-03-09 17:42:55 512992 ----a-w- c:\temp\sdsetup.exe

2011-03-08 19:59:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-02 15:45:38 1374808 ----a-w- c:\temp\tdsskiller2\TDSSKiller.exe

.

==================== Find3M ====================

.

2011-02-18 07:18:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-18 14:45:50 82696 ----a-w- c:\windows\system32\lmdimon8.dll

2011-01-18 14:45:50 82184 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lmdippr8.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-12-20 23:08:45 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08:45 17408 ------w- c:\windows\system32\corpol.dll

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 10:38:29.18 ===============

****************************************************************Combofix Log:*************************************************************

ComboFix 11-03-08.09 - pcadmin 03/09/2011 14:48:17.1.1 - x86

Running from: c:\temp\ComboFix.exe

* Resident AV is active

.

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\AdmDll.dll

c:\windows\system32\raddrv.dll

.

----- BITS: Possible infected sites -----

.

hxxp://windowsupdate.mohawkind.com

.

((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))

.

.

2011-03-09 18:38 . 2011-03-09 18:38 4284225 ----a-r- c:\temp\ComboFix.exe

2011-03-09 18:16 . 2011-03-09 18:16 -------- d-----w- c:\documents and settings\cullinank\Local Settings\Application Data\Threat Expert

2011-03-09 18:03 . 2011-01-07 19:54 2000848 ----a-w- c:\windows\PCTBDCore.dll

2011-03-09 17:50 . 2011-03-09 18:53 -------- d-----w- c:\program files\Common Files\PC Tools

2011-03-09 17:50 . 2011-03-09 18:53 -------- d-----w- c:\program files\PC Tools Security

2011-03-09 17:50 . 2011-03-09 18:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-03-09 17:43 . 2011-03-09 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-03-09 17:42 . 2011-03-09 17:43 512992 ----a-w- c:\temp\sdsetup.exe

2011-03-08 21:14 . 2011-03-09 17:13 -------- d-----w- c:\windows\LastGood

2011-03-08 20:03 . 2011-03-08 20:03 -------- d-----w- c:\documents and settings\graham_baughman\Application Data\Malwarebytes

2011-03-08 20:00 . 2011-03-08 20:00 -------- d-----w- c:\documents and settings\pcadmin\Application Data\Malwarebytes

2011-03-08 19:59 . 2011-03-08 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-07 19:40 . 2011-03-09 19:31 135168 ----a-w- C:\LdDiscSvc.exe

2011-03-02 15:45 . 2011-03-02 15:45 1374808 ----a-w- c:\temp\tdsskiller2\TDSSKiller.exe

2011-02-18 04:01 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-18 07:18 . 2008-10-16 06:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-18 14:45 . 2009-06-25 00:16 82696 ----a-w- c:\windows\system32\lmdimon8.dll

2011-01-18 14:45 . 2009-06-25 00:16 82184 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll

2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-12-20 23:08 . 2004-08-04 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-09 20530]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-09 24626]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-09 45056]

"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-09 20480]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-29 86016]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"DIRECT!"="c:\program files\Courion Corporation\Enterprise Provisioning Suite DIRECT!\direct.exe" [2005-02-18 98304]

"Cisco Works"="c:\windows\UTLite33.exe" [2004-08-10 172098]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-26 124224]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

.

c:\documents and settings\pcadmin\Start Menu\Programs\Startup\

VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-10-18 1685040]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Mohawk Industries, Inc. VPN Client.lnk - c:\program files\Mohawk VPN Client\vpngui.exe [2004-4-7 1470296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"MaxGPOScriptWait"= 90 (0x5a)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-06-20 15:03 110592 ----a-w- c:\windows\system32\LgNotify.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\0\0]

"Script"=WaaS Print Remap.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\1\0]

"Script"=WaaS Print Remap.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\2\0]

"Script"=SecAware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\3\0]

"Script"=\\MICHGLDESK01.na.int.grp\LDLOGON\Netlogon\LANDesk\iDeploy.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Avaya Modular Messaging\\Common\\ummiddleman.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\cba\\pds.exe"=

"c:\\WINDOWS\\system32\\msgsys.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:10.52.1.152/255.255.255.255:Enabled:TCP\135

"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port

"67:UDP"= 67:UDP:LANDesk® PXE UDP Port

"67:TCP"= 67:TCP:LANDesk® PXE TCP Port

"445:TCP"= 445:TCP:@xpsp2res.dll,-22005

"139:TCP"= 139:TCP:@xpsp2res.dll,-22004

"138:UDP"= 138:UDP:@xpsp2res.dll,-22002

"137:UDP"= 137:UDP:@xpsp2res.dll,-22001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [10/15/2010 7:41 AM 147456]

R2 CISMBIOS;CISMBIOS;c:\windows\system32\drivers\cismbios.sys [9/10/2010 10:25 PM 14848]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [1/23/2011 4:57 PM 205312]

R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\LANDesk\LDClient\tmcsvc.exe [1/23/2011 4:57 PM 178688]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [12/16/2009 7:31 PM 222528]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/25/2010 8:07 PM 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/14/2010 5:48 PM 69192]

R2 MHK PC Tune-up;MHK PC Tune-up;c:\program files\Mohawk Industries\Tune Up Suite\Mohawk PC Tune-up Scheduler.exe [7/10/2008 3:46 PM 53248]

R2 SnaDdm;SNA DDM Service;c:\program files\Host Integration Server\system\ddmserv.exe [8/7/2000 8:32 AM 82192]

R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [1/23/2011 4:57 PM 385024]

R2 tracksvc;LANDesk® Power Management Track Service;c:\program files\LANDesk\LDClient\tracksvc.exe [1/23/2011 4:58 PM 66048]

R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [3/11/2010 3:13 PM 14336]

R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [3/11/2010 3:13 PM 5120]

R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [3/11/2010 3:13 PM 6144]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [4/15/2005 12:00 PM 31424]

R4 20293811;20293811;c:\windows\system32\DRIVERS\20293811.sys --> c:\windows\system32\DRIVERS\20293811.sys [?]

R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

R4 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys --> c:\windows\system32\drivers\pctDS.sys [?]

R4 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys --> c:\windows\system32\drivers\pctEFA.sys [?]

S2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\LANDesk\LDClient\ProcTriggerSvc.exe [1/23/2011 4:58 PM 143360]

S2 r_server;Remote Administrator Service;r_server.exe /service --> r_server.exe [?]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [3/25/2004 2:05 PM 30775]

S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [5/10/2004 7:17 PM 281600]

S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\windows\system32\drivers\cwbmidi.sys [3/22/2004 9:37 AM 3072]

S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [3/22/2004 9:37 AM 72832]

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [5/10/2004 7:17 PM 55999]

S3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/6/2003 10:23 PM 59328]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 6:26 PM 80384]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/14/2010 5:48 PM 66536]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [8/17/2001 8:47 AM 9344]

S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [5/10/2004 7:17 PM 701386]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 20293811

*NewlyCreated* - 20293812

*NewlyCreated* - KLMD25

*NewlyCreated* - PCTDS

*NewlyCreated* - PCTEFA

*NewlyCreated* - PCTSDINJDRIVER32

*NewlyCreated* - SETUP_9.0.0.722_08.03.2011_22-29DRV

*NewlyCreated* - WS2IFSL

*Deregistered* - klmd25

*Deregistered* - PCTSDInjDriver32

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = https://quickaccess.verizonwireless.com/quickaccess?olp=T5au2P0M0gnlI5JcT6RalSUXp7AB5DmCWsK88k47NSDaJqk4HgNL1A==

TCP: {6A2720C9-4721-4AA1-A14F-68CC22F6BB25} = 10.10.1.155,10.11.0.17

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {613FFCA3-8ABC-11D2-A99B-400010000124} - hxxp://midgs17.mohawk.com/core/sskeys.cab

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Knowledge Center 4.8a - c:\lotus\notes\Uninst.isu

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-09 15:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}\0409]

@SACL=

"Version"="1.0.0.2"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1724)

c:\windows\system32\stlport_vc746.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

.

- - - - - - - > 'lsass.exe'(1780)

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

.

Completion time: 2011-03-09 15:19:41

ComboFix-quarantined-files.txt 2011-03-09 20:19

.

Pre-Run: 20,769,722,368 bytes free

Post-Run: 20,800,430,080 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

.

- - End Of File - - EEB1013CCAD764CB1C663405DD8DD136

Link to post
Share on other sites

Hello Darth_Malware! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

First of all, don't use ComboFix on your own! More information here:

http://www.bleepingcomputer.com/forums/topic273628.html

So:

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

In your next reply, please post the following logs:

  1. a new fresh DDS log with Attach.txt

Link to post
Share on other sites

Thank you for your response. I ran the command you indicated, combofix was removed. Below is the new log and attached is the new attach.txt file

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by graham_baughman at 15:02:06.50 on Thu 03/10/2011

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.113 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\Mohawk VPN Client\cvpnd.exe

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\LANDesk\LDClient\collector.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Mohawk Industries\Tune Up Suite\Mohawk PC Tune-up Scheduler.exe

C:\lotus\notes\ntmulti.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\system32\r_server.exe

C:\Program Files\Host Integration Server\system\ddmserv.exe

C:\Program Files\LANDesk\LDClient\softmon.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\LANDesk\LDClient\tracksvc.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\WINDOWS\system32\mqsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\WINDOWS\explorer.exe

C:\temp\dds.com

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"

mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"

mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN

mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [DIRECT!] c:\program files\courion corporation\enterprise provisioning suite direct!\direct.exe

mRun: [Cisco Works] c:\windows\UTLite33.exe -domain mohawk.com -host ciscoworks.mohawk.com -port 16236

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mohawk~1.lnk - c:\program files\mohawk vpn client\vpngui.exe

mPolicies-system: MaxGPOScriptWait = 90 (0x5a)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {613FFCA3-8ABC-11D2-A99B-400010000124} - hxxp://midgs17.mohawk.com/core/sskeys.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118927839250

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128003075671

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.4352314815

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {6A2720C9-4721-4AA1-A14F-68CC22F6BB25} = 10.10.1.155,10.11.0.17

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-11 344712]

R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2010-10-15 147456]

R2 CISMBIOS;CISMBIOS;c:\windows\system32\drivers\cismbios.sys [2010-9-10 14848]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2011-1-23 205312]

R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\landesk\ldclient\tmcsvc.exe [2011-1-23 178688]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-12-16 222528]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-8-25 22816]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-8-25 147984]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-8-25 66880]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-14 69192]

R2 MHK PC Tune-up;MHK PC Tune-up;c:\program files\mohawk industries\tune up suite\Mohawk PC Tune-up Scheduler.exe [2008-7-10 53248]

R2 r_server;Remote Administrator Service;r_server.exe /service --> r_server.exe [?]

R2 SnaDdm;SNA DDM Service;c:\program files\host integration server\system\ddmserv.exe [2000-8-7 82192]

R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2011-1-23 385024]

R2 tracksvc;LANDesk® Power Management Track Service;c:\program files\landesk\ldclient\tracksvc.exe [2011-1-23 66048]

R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2010-3-11 14336]

R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2010-3-11 5120]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-11 91896]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-11 43192]

R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2010-3-11 6144]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2005-4-15 31424]

R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-4-7 189792]

RUnknown SASDIFSV;SASDIFSV; [x]

RUnknown SASKUTIL;SASKUTIL; [x]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\landesk\ldclient\ProcTriggerSvc.exe [2011-1-23 143360]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [2004-3-25 30775]

S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [2004-5-10 281600]

S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\windows\system32\drivers\cwbmidi.sys [2004-3-22 3072]

S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [2004-3-22 72832]

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2004-5-10 55999]

S3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-6 59328]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-14 66536]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [2001-8-17 9344]

S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [2004-5-10 701386]

.

=============== Created Last 30 ================

.

2011-03-10 19:15:31 135168 ----a-w- C:\LdDiscSvc.exe

2011-03-10 18:42:15 -------- d-s---w- C:\ComboFix

2011-03-10 17:59:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-03-10 17:55:53 10630896 ----a-w- c:\temp\SUPERAntiSpyware.exe

2011-03-10 17:55:00 12502472 ----a-w- c:\temp\windows-kb890830-v3.17.exe

2011-03-10 17:27:50 1377112 ----a-w- c:\temp\tdsskiller\TDSSKiller.exe

2011-03-10 15:34:34 296448 ----a-w- c:\temp\7cdkplwm.exe

2011-03-10 15:30:30 625664 ----a-w- c:\temp\dds.com

2011-03-10 15:23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-10 15:23:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-10 14:25:57 90112 ----a-w- c:\windows\system32\admdll.dll

2011-03-09 19:40:00 -------- d-sha-r- C:\cmdcons

2011-03-09 17:50:32 -------- d-----w- c:\program files\PC Tools Security

2011-03-09 17:43:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-03-09 17:42:55 512992 ----a-w- c:\temp\sdsetup.exe

2011-03-08 20:03:08 -------- d-----w- c:\docume~1\graham~1\applic~1\Malwarebytes

2011-03-08 19:59:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-18 04:01:30 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.

==================== Find3M ====================

.

2011-02-18 07:18:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-18 14:45:50 82696 ----a-w- c:\windows\system32\lmdimon8.dll

2011-01-18 14:45:50 82184 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lmdippr8.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-12-20 23:08:45 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08:45 17408 ------w- c:\windows\system32\corpol.dll

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 15:05:37.92 ===============

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

My appologies, see below:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6011

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

3/10/2011 4:05:59 PM

mbam-log-2011-03-10 (16-05-46).txt

Scan type: Quick scan

Objects scanned: 144481

Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by graham_baughman at 16:13:05.18 on Thu 03/10/2011

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.164 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\Mohawk VPN Client\cvpnd.exe

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\LANDesk\LDClient\collector.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Mohawk Industries\Tune Up Suite\Mohawk PC Tune-up Scheduler.exe

C:\lotus\notes\ntmulti.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\system32\r_server.exe

C:\Program Files\Host Integration Server\system\ddmserv.exe

C:\Program Files\LANDesk\LDClient\softmon.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\LANDesk\LDClient\tracksvc.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\WINDOWS\system32\mqsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\WINDOWS\explorer.exe

C:\Program Files\LANDesk\LDClient\vulScan.exe

C:\Program Files\LANDesk\Shared Files\proxyhost.exe

C:\temp\dds.com

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"

mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"

mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN

mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [DIRECT!] c:\program files\courion corporation\enterprise provisioning suite direct!\direct.exe

mRun: [Cisco Works] c:\windows\UTLite33.exe -domain mohawk.com -host ciscoworks.mohawk.com -port 16236

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mohawk~1.lnk - c:\program files\mohawk vpn client\vpngui.exe

mPolicies-system: MaxGPOScriptWait = 90 (0x5a)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {613FFCA3-8ABC-11D2-A99B-400010000124} - hxxp://midgs17.mohawk.com/core/sskeys.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118927839250

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128003075671

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.4352314815

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {6A2720C9-4721-4AA1-A14F-68CC22F6BB25} = 10.10.1.155,10.11.0.17

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-11 344712]

R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2010-10-15 147456]

R2 CISMBIOS;CISMBIOS;c:\windows\system32\drivers\cismbios.sys [2010-9-10 14848]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2011-1-23 205312]

R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\landesk\ldclient\tmcsvc.exe [2011-1-23 178688]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-12-16 222528]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-8-25 22816]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-8-25 147984]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-8-25 66880]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-14 69192]

R2 MHK PC Tune-up;MHK PC Tune-up;c:\program files\mohawk industries\tune up suite\Mohawk PC Tune-up Scheduler.exe [2008-7-10 53248]

R2 r_server;Remote Administrator Service;r_server.exe /service --> r_server.exe [?]

R2 SnaDdm;SNA DDM Service;c:\program files\host integration server\system\ddmserv.exe [2000-8-7 82192]

R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2011-1-23 385024]

R2 tracksvc;LANDesk® Power Management Track Service;c:\program files\landesk\ldclient\tracksvc.exe [2011-1-23 66048]

R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2010-3-11 14336]

R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2010-3-11 5120]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-11 91896]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-11 43192]

R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2010-3-11 6144]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2005-4-15 31424]

R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-4-7 189792]

RUnknown SASDIFSV;SASDIFSV; [x]

RUnknown SASKUTIL;SASKUTIL; [x]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\landesk\ldclient\ProcTriggerSvc.exe [2011-1-23 143360]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [2004-3-25 30775]

S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [2004-5-10 281600]

S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\windows\system32\drivers\cwbmidi.sys [2004-3-22 3072]

S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [2004-3-22 72832]

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2004-5-10 55999]

S3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-6 59328]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-14 66536]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [2001-8-17 9344]

S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [2004-5-10 701386]

.

=============== Created Last 30 ================

.

2011-03-10 19:15:31 135168 ----a-w- C:\LdDiscSvc.exe

2011-03-10 18:42:15 -------- d-s---w- C:\ComboFix

2011-03-10 17:59:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-03-10 17:55:53 10630896 ----a-w- c:\temp\SUPERAntiSpyware.exe

2011-03-10 17:55:00 12502472 ----a-w- c:\temp\windows-kb890830-v3.17.exe

2011-03-10 17:27:50 1377112 ----a-w- c:\temp\tdsskiller\TDSSKiller.exe

2011-03-10 15:34:34 296448 ----a-w- c:\temp\7cdkplwm.exe

2011-03-10 15:30:30 625664 ----a-w- c:\temp\dds.com

2011-03-10 15:23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-10 15:23:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-10 14:25:57 90112 ----a-w- c:\windows\system32\admdll.dll

2011-03-09 19:40:00 -------- d-sha-r- C:\cmdcons

2011-03-09 17:50:32 -------- d-----w- c:\program files\PC Tools Security

2011-03-09 17:43:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-03-09 17:42:55 512992 ----a-w- c:\temp\sdsetup.exe

2011-03-08 20:03:08 -------- d-----w- c:\docume~1\graham~1\applic~1\Malwarebytes

2011-03-08 19:59:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-18 04:01:30 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.

==================== Find3M ====================

.

2011-02-18 07:18:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-18 14:45:50 82696 ----a-w- c:\windows\system32\lmdimon8.dll

2011-01-18 14:45:50 82184 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lmdippr8.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-12-20 23:08:45 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08:45 17408 ------w- c:\windows\system32\corpol.dll

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 16:16:39.39 ===============

Link to post
Share on other sites

This file is a part of an application called Remote Administrator by Famatech. It is the software that I am currently remoting this machine using and is frequently detected as a PUP by AV products. Below is the information you requested.

MD5: c915181e93fe3d4c41b1963180d3c535

Date first seen: 2006-06-06 15:52:37 (UTC)

Date last seen: 2011-03-10 00:59:52 (UTC)

Detection ratio: 14/42

Link to post
Share on other sites

Thanks!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

------------------------------LQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAFs-/center]

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


----------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Full info - File name:

admdll.dll

Submission date:

2011-03-10 21:41:51 (UTC)

Current status:

queued (#3) queued (#3) analysing finished

Result:

14/ 43 (32.6%)

VT Community

malware

Safety score: 0.0%

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.03.11.00 2011.03.10 Win-AppCare/Remadm

AntiVir 7.11.4.163 2011.03.10 -

Antiy-AVL 2.0.3.7 2011.03.09 RiskWare/RemoteAdmin.RAdmin.gen

Avast 4.8.1351.0 2011.03.10 -

Avast5 5.0.677.0 2011.03.10 -

AVG 10.0.0.1190 2011.03.10 RemoteAdmin.BCO

BitDefender 7.2 2011.03.10 -

CAT-QuickHeal 11.00 2011.03.10 -

ClamAV 0.96.4.0 2011.03.10 PUA.RAT.RAdmin-2

Commtouch 5.2.11.5 2011.03.10 W32/RemoteAdmin.C

Comodo 7936 2011.03.10 ApplicUnsaf.Win32.RemoteAdmin

DrWeb 5.0.2.03300 2011.03.10 -

Emsisoft 5.1.0.2 2011.03.10 Adware.Win32.MessengerInfiumFinal!A2

eSafe 7.0.17.0 2011.03.10 -

eTrust-Vet 36.1.8209 2011.03.10 -

F-Prot 4.6.2.117 2011.03.10 W32/RemoteAdmin.C

F-Secure 9.0.16440.0 2011.03.10 -

Fortinet 4.2.254.0 2011.03.10 RAT/RAdmin

GData 21 2011.03.10 -

Ikarus T3.1.1.97.0 2011.03.10 -

Jiangmin 13.0.900 2011.03.10 -

K7AntiVirus 9.92.4076 2011.03.10 -

Kaspersky 7.0.0.125 2011.03.10 not-a-virus:RemoteAdmin.Win32.RAdmin.20

McAfee 5.400.0.1158 2011.03.10 RemAdm-RemoteAdmin

McAfee-GW-Edition 2010.1C 2011.03.10 RemAdm-RemoteAdmin

Microsoft 1.6603 2011.03.10 -

NOD32 5943 2011.03.10 Win32/RemoteAdmin

Norman 6.07.03 2011.03.10 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 10.0.3.5 2011.03.10 -

PCTools 7.0.3.5 2011.03.10 -

Prevx 3.0 2011.03.10 -

Rising 23.48.03.05 2011.03.10 -

Sophos 4.63.0 2011.03.10 RemoteAdmin

SUPERAntiSpyware 4.40.0.1006 2011.03.10 -

Symantec 20101.3.0.103 2011.03.10 -

TheHacker 6.7.0.1.147 2011.03.10 -

TrendMicro 9.200.0.1012 2011.03.10 -

TrendMicro-HouseCall 9.200.0.1012 2011.03.10 -

VBA32 3.12.14.3 2011.03.10 -

VIPRE 8660 2011.03.10 -

ViRobot 2011.3.10.4351 2011.03.10 -

VirusBuster 13.6.245.0 2011.03.10 -

Additional information

Show all

MD5 : c915181e93fe3d4c41b1963180d3c535

SHA1 : f35e66bec967d4254338a120eea8159f29c06a99

SHA256: d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

Link to post
Share on other sites

ComboFix 11-03-10.01 - pcadmin 03/10/2011 17:01:05.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.193 [GMT -5:00]

Running from: c:\temp\Combo-Fix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\AdmDll.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))

.

.

2011-03-10 17:59 . 2011-03-10 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-03-10 17:55 . 2011-03-10 17:55 10630896 ----a-w- c:\temp\SUPERAntiSpyware.exe

2011-03-10 17:55 . 2011-03-10 17:55 12502472 ----a-w- c:\temp\windows-kb890830-v3.17.exe

2011-03-10 17:27 . 2011-03-10 17:33 1377112 ----a-w- c:\temp\tdsskiller\TDSSKiller.exe

2011-03-10 15:34 . 2011-03-10 15:34 296448 ----a-w- c:\temp\7cdkplwm.exe

2011-03-10 15:30 . 2011-03-10 15:30 625664 ----a-w- c:\temp\dds.com

2011-03-10 15:23 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-10 15:23 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-09 22:17 . 2011-03-09 22:17 -------- d-----w- c:\documents and settings\pcadmin\Local Settings\Application Data\panagenda

2011-03-09 18:16 . 2011-03-09 18:16 -------- d-----w- c:\documents and settings\cullinank\Local Settings\Application Data\Threat Expert

2011-03-09 17:50 . 2011-03-10 14:36 -------- d-----w- c:\program files\PC Tools Security

2011-03-09 17:50 . 2011-03-09 18:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-03-09 17:43 . 2011-03-09 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-03-09 17:42 . 2011-03-09 17:43 512992 ----a-w- c:\temp\sdsetup.exe

2011-03-08 20:03 . 2011-03-08 20:03 -------- d-----w- c:\documents and settings\graham_baughman\Application Data\Malwarebytes

2011-03-08 20:00 . 2011-03-08 20:00 -------- d-----w- c:\documents and settings\pcadmin\Application Data\Malwarebytes

2011-03-08 19:59 . 2011-03-10 15:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-18 04:01 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-18 07:18 . 2008-10-16 06:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-18 14:45 . 2009-06-25 00:16 82696 ----a-w- c:\windows\system32\lmdimon8.dll

2011-01-18 14:45 . 2009-06-25 00:16 82184 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll

2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-12-20 23:08 . 2004-08-04 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-09 20530]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-09 24626]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-09 45056]

"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-09 20480]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-29 86016]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"DIRECT!"="c:\program files\Courion Corporation\Enterprise Provisioning Suite DIRECT!\direct.exe" [2005-02-18 98304]

"Cisco Works"="c:\windows\UTLite33.exe" [2004-08-10 172098]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-26 124224]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

.

c:\documents and settings\pcadmin\Start Menu\Programs\Startup\

VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-10-18 1685040]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Mohawk Industries, Inc. VPN Client.lnk - c:\program files\Mohawk VPN Client\vpngui.exe [2004-4-7 1470296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"MaxGPOScriptWait"= 90 (0x5a)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-06-20 15:03 110592 ----a-w- c:\windows\system32\LgNotify.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\0\0]

"Script"=WaaS Print Remap.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\1\0]

"Script"=WaaS Print Remap.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\2\0]

"Script"=SecAware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\3\0]

"Script"=\\MICHGLDESK01.na.int.grp\LDLOGON\Netlogon\LANDesk\iDeploy.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Avaya Modular Messaging\\Common\\ummiddleman.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\cba\\pds.exe"=

"c:\\WINDOWS\\system32\\msgsys.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:10.52.1.152/255.255.255.255:Enabled:TCP\135

"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port

"67:UDP"= 67:UDP:LANDesk® PXE UDP Port

"67:TCP"= 67:TCP:LANDesk® PXE TCP Port

"445:TCP"= 445:TCP:@xpsp2res.dll,-22005

"139:TCP"= 139:TCP:@xpsp2res.dll,-22004

"138:UDP"= 138:UDP:@xpsp2res.dll,-22002

"137:UDP"= 137:UDP:@xpsp2res.dll,-22001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [10/15/2010 7:41 AM 147456]

R2 CISMBIOS;CISMBIOS;c:\windows\system32\drivers\cismbios.sys [9/10/2010 10:25 PM 14848]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [1/23/2011 4:57 PM 205312]

R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\LANDesk\LDClient\tmcsvc.exe [1/23/2011 4:57 PM 178688]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [12/16/2009 7:31 PM 222528]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/25/2010 8:07 PM 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/14/2010 5:48 PM 69192]

R2 MHK PC Tune-up;MHK PC Tune-up;c:\program files\Mohawk Industries\Tune Up Suite\Mohawk PC Tune-up Scheduler.exe [7/10/2008 3:46 PM 53248]

R2 SnaDdm;SNA DDM Service;c:\program files\Host Integration Server\system\ddmserv.exe [8/7/2000 8:32 AM 82192]

R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [1/23/2011 4:57 PM 385024]

R2 tracksvc;LANDesk® Power Management Track Service;c:\program files\LANDesk\LDClient\tracksvc.exe [1/23/2011 4:58 PM 66048]

R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [3/11/2010 3:13 PM 14336]

R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [3/11/2010 3:13 PM 5120]

R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [3/11/2010 3:13 PM 6144]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [4/15/2005 12:00 PM 31424]

S2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\LANDesk\LDClient\ProcTriggerSvc.exe [1/23/2011 4:58 PM 143360]

S2 r_server;Remote Administrator Service;r_server.exe /service --> r_server.exe [?]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [3/25/2004 2:05 PM 30775]

S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [5/10/2004 7:17 PM 281600]

S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\windows\system32\drivers\cwbmidi.sys [3/22/2004 9:37 AM 3072]

S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [3/22/2004 9:37 AM 72832]

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [5/10/2004 7:17 PM 55999]

S3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/6/2003 10:23 PM 59328]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 6:26 PM 80384]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/14/2010 5:48 PM 66536]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [8/17/2001 8:47 AM 9344]

S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [5/10/2004 7:17 PM 701386]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - PXLIRPOC

*NewlyCreated* - SASDIFSV

*NewlyCreated* - SASKUTIL

*Deregistered* - klmd25

*Deregistered* - pxlirpoc

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = https://quickaccess.verizonwireless.com/quickaccess?olp=T5au2P0M0gnlI5JcT6RalSUXp7AB5DmCWsK88k47NSDaJqk4HgNL1A==

TCP: {6A2720C9-4721-4AA1-A14F-68CC22F6BB25} = 10.10.1.155,10.11.0.17

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {613FFCA3-8ABC-11D2-A99B-400010000124} - hxxp://midgs17.mohawk.com/core/sskeys.cab

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-10 17:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(284)

c:\windows\system32\stlport_vc746.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

.

Completion time: 2011-03-10 17:16:04

ComboFix-quarantined-files.txt 2011-03-10 22:15

ComboFix2.txt 2011-03-09 20:19

.

Pre-Run: 20,745,330,688 bytes free

Post-Run: 20,733,190,144 bytes free

.

- - End Of File - - 60BAE5314586C72721B05F25F688900A

Link to post
Share on other sites

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2011/03/10 17:43

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\DOCUME~1\pcadmin\LOCALS~1\Temp\catchme.sys

Address: 0xF8882000 Size: 31744 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAA42E000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8A96000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF8A62000 Size: 7872 File Visible: No Signed: -

Status: -

Name: pxlirpoc.sys

Image Path: C:\DOCUME~1\pcadmin\LOCALS~1\Temp\pxlirpoc.sys

Address: 0xA8536000 Size: 94848 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9D0D000 Size: 49152 File Visible: No Signed: -

Status: -

Name: SASDIFSV.SYS

Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

Address: 0xF7A0E000 Size: 24576 File Visible: No Signed: -

Status: -

Name: SASKUTIL.SYS

Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

Address: 0xA84E9000 Size: 139264 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\temp\RootRepeal.exe

Status: Visible to the Windows API, but not on disk.

Path: C:\temp\settings.dat

Status: Visible to the Windows API, but not on disk.

SSDT

-------------------

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xa84f3620

Stealth Objects

-------------------

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: csrss.exe (PID: 264) Address: 0xe2e9c818 Size: -

Object: Hidden Handle [index: 2052, Type: UnknownType]

Process: csrss.exe (PID: 264) Address: 0xe108b818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: winlogon.exe (PID: 284) Address: 0xe2be4020 Size: -

Object: Hidden Handle [index: 2052, Type: UnknownType]

Process: winlogon.exe (PID: 284) Address: 0xe1259548 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: services.exe (PID: 328) Address: 0xe2bfb020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: lsass.exe (PID: 340) Address: 0xe2bdd4d8 Size: -

Object: Hidden Handle [index: 2052, Type: UnknownType]

Process: lsass.exe (PID: 340) Address: 0xe1a59020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: svchost.exe (PID: 520) Address: 0xe2c3e560 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: svchost.exe (PID: 604) Address: 0xe2c3c818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: svchost.exe (PID: 788) Address: 0xe2c3a818 Size: -

Object: Hidden Handle [index: 2052, Type: UnknownType]

Process: svchost.exe (PID: 788) Address: 0xe12c5818 Size: -

Object: Hidden Handle [index: 4100, Type: UnknownType]

Process: svchost.exe (PID: 788) Address: 0xe1901020 Size: -

Object: Hidden Handle [index: 6148, Type: UnknownType]

Process: svchost.exe (PID: 788) Address: 0xe10861b0 Size: -

Object: Hidden Handle [index: 8196, Type: UnknownType]

Process: svchost.exe (PID: 788) Address: 0xe3403458 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: S24EvMon.exe (PID: 884) Address: 0xe2e4a818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: svchost.exe (PID: 1004) Address: 0xe2e76020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: svchost.exe (PID: 1248) Address: 0xe2e78818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: spoolsv.exe (PID: 1576) Address: 0xe2e9a818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: svchost.exe (PID: 400) Address: 0xe2ec7818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: msdtc.exe (PID: 540) Address: 0xe2ecc818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: residentagent.exe (PID: 996) Address: 0xe2ec9818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: cvpnd.exe (PID: 216) Address: 0xe2ed2818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: pds.exe (PID: 1112) Address: 0xe2ecf818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: policy.client.invoker.exe (PID: 1156) Address: 0xe2f13020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: tmcsvc.exe (PID: 1296) Address: 0xe2eda818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: McSACore.exe (PID: 1328) Address: 0xe2eef5c8 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: engineserver.exe (PID: 1816) Address: 0xe2f09818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: collector.exe (PID: 1864) Address: 0xe2f19818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: ZCfgSvc.exe (PID: 1844) Address: 0xe125d020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: vstskmgr.exe (PID: 2304) Address: 0xe12fd818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: mfevtps.exe (PID: 2360) Address: 0xe12bb818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: Mohawk PC Tune-up Scheduler.exe (PID: 2404) Address: 0xe12bd818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: ntmulti.exe (PID: 2512) Address: 0xe1386020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: RegSrvc.exe (PID: 2836) Address: 0xe132e818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: ddmserv.exe (PID: 2920) Address: 0xe15726b0 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: softmon.exe (PID: 2976) Address: 0xe15b6818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: svchost.exe (PID: 3044) Address: 0xe1640280 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: tracksvc.exe (PID: 3076) Address: 0xe1655468 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: LocalSch.EXE (PID: 3164) Address: 0xe15f2020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: mqsvc.exe (PID: 3396) Address: 0xe1601818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: wmiprvse.exe (PID: 3836) Address: 0xe1788378 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: hkcmd.exe (PID: 1212) Address: 0xe18df020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: DirectCD.exe (PID: 2548) Address: 0xe1951020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: BCMSMMSG.exe (PID: 2624) Address: 0xe1948818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: SynTPLpr.exe (PID: 2912) Address: 0xe18d3020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: SynTPEnh.exe (PID: 2960) Address: 0xe195f020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: direct.exe (PID: 2464) Address: 0xe1964020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: udaterui.exe (PID: 1372) Address: 0xe194f818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: alg.exe (PID: 3904) Address: 0xe18db020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: 1XConfig.exe (PID: 1224) Address: 0xe1993020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: vpngui.exe (PID: 2332) Address: 0xe354f020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: issuser.exe (PID: 1468) Address: 0xe1a2f818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: rcgui.exe (PID: 1772) Address: 0xe35fe818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: mcconsol.exe (PID: 716) Address: 0xe37ea020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: SHSTAT.EXE (PID: 936) Address: 0xe3a8c020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: hkcmd.exe (PID: 2952) Address: 0xe3d1c020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: direct.exe (PID: 2168) Address: 0xe33d1020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: UTLite33.exe (PID: 2864) Address: 0xe4018020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: VZAccess Manager.exe (PID: 2156) Address: 0xe40be020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: msoffice.exe (PID: 3384) Address: 0xe31db020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: r_server.exe (PID: 2104) Address: 0xe40de020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: mcshield.exe (PID: 3012) Address: 0xe3f5a020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: mfeann.exe (PID: 2740) Address: 0xe1697020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: explorer.exe (PID: 3264) Address: 0xe19ac020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: FrameworkService.exe (PID: 1568) Address: 0xe3735020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: naPrdMgr.exe (PID: 2780) Address: 0xe35bc020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: ctfmon.exe (PID: 2588) Address: 0xe30d6818 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: RootRepeal.exe (PID: 1376) Address: 0xe3dae020 Size: -

Object: Hidden Handle [index: 4, Type: UnknownType]

Process: LDregwatch.exe (PID: 5232) Address: 0xe30be020 Size: -

==EOF==

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=77497

Collect::[8]
c:\windows\system32\admdll.dll
C:\Documents and Settings\pcadmin\Local Settings\Temp\pxlirpoc.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 11-03-14.01 - graham_baughman 03/14/2011 18:06:26.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.211 [GMT -4:00]

Running from: c:\temp\Combo-Fix.exe

Command switches used :: c:\temp\CFScript.txt

.

file zipped: c:\windows\system32\admdll.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\cullinank\Local Settings\Application Data\{F27CA0C3-2FC2-4861-ADA6-B4AD4633B058}

c:\documents and settings\cullinank\Local Settings\Application Data\{F27CA0C3-2FC2-4861-ADA6-B4AD4633B058}\chrome.manifest

c:\documents and settings\cullinank\Local Settings\Application Data\{F27CA0C3-2FC2-4861-ADA6-B4AD4633B058}\chrome\content\_cfg.js

c:\documents and settings\cullinank\Local Settings\Application Data\{F27CA0C3-2FC2-4861-ADA6-B4AD4633B058}\chrome\content\overlay.xul

c:\documents and settings\cullinank\Local Settings\Application Data\{F27CA0C3-2FC2-4861-ADA6-B4AD4633B058}\install.rdf

c:\windows\system32\AdmDll.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))

.

.

2011-03-14 20:01 . 2011-03-14 20:01 135168 ----a-w- C:\LdDiscSvc.exe

2011-03-11 03:02 . 2011-03-12 06:35 0 ----a-w- c:\documents and settings\cullinank\Local Settings\Application Data\Bgesus.bin

2011-03-11 03:01 . 2011-03-11 03:01 102400 --sha-r- c:\documents and settings\cullinank\Application Data\WINMSGE.dll

2011-03-10 22:41 . 2011-03-10 22:42 472064 ----a-w- c:\temp\RootRepeal.exe

2011-03-10 21:48 . 2011-03-14 21:57 4286801 ----a-r- c:\temp\Combo-Fix.exe

2011-03-10 18:42 . 2011-03-10 21:53 -------- d-----w- C:\ComboFix

2011-03-10 17:59 . 2011-03-10 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-03-10 17:55 . 2011-03-10 17:55 10630896 ----a-w- c:\temp\SUPERAntiSpyware.exe

2011-03-10 17:55 . 2011-03-10 17:55 12502472 ----a-w- c:\temp\windows-kb890830-v3.17.exe

2011-03-10 17:27 . 2011-03-10 17:33 1377112 ----a-w- c:\temp\tdsskiller\TDSSKiller.exe

2011-03-10 15:34 . 2011-03-10 15:34 296448 ----a-w- c:\temp\7cdkplwm.exe

2011-03-10 15:30 . 2011-03-10 15:30 625664 ----a-w- c:\temp\dds.com

2011-03-10 15:23 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-10 15:23 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-09 22:17 . 2011-03-09 22:17 -------- d-----w- c:\documents and settings\pcadmin\Local Settings\Application Data\panagenda

2011-03-09 18:16 . 2011-03-09 18:16 -------- d-----w- c:\documents and settings\cullinank\Local Settings\Application Data\Threat Expert

2011-03-09 17:50 . 2011-03-10 14:36 -------- d-----w- c:\program files\PC Tools Security

2011-03-09 17:50 . 2011-03-09 18:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-03-09 17:43 . 2011-03-09 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-03-09 17:42 . 2011-03-09 17:43 512992 ----a-w- c:\temp\sdsetup.exe

2011-03-08 20:03 . 2011-03-08 20:03 -------- d-----w- c:\documents and settings\graham_baughman\Application Data\Malwarebytes

2011-03-08 20:00 . 2011-03-08 20:00 -------- d-----w- c:\documents and settings\pcadmin\Application Data\Malwarebytes

2011-03-08 19:59 . 2011-03-10 15:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-18 04:01 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-18 07:18 . 2008-10-16 06:55 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-18 14:45 . 2009-06-25 00:16 82696 ----a-w- c:\windows\system32\lmdimon8.dll

2011-01-18 14:45 . 2009-06-25 00:16 82184 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll

2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:08 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:08 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-12-20 23:08 . 2004-08-04 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:08 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((( SnapShot@2011-03-10_22.11.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-03-22 23:08 . 2011-03-14 05:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2004-03-22 23:08 . 2011-03-10 05:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-03-11 05:51 . 2011-03-14 05:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2011-03-10 05:08 . 2011-03-10 05:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-09 20530]

"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-09 24626]

"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-09 45056]

"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-09 20480]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-29 86016]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"DIRECT!"="c:\program files\Courion Corporation\Enterprise Provisioning Suite DIRECT!\direct.exe" [2005-02-18 98304]

"Cisco Works"="c:\windows\UTLite33.exe" [2004-08-10 172098]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-26 124224]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-24 155648]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

.

c:\documents and settings\pcadmin\Start Menu\Programs\Startup\

VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-10-18 1685040]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Mohawk Industries, Inc. VPN Client.lnk - c:\program files\Mohawk VPN Client\vpngui.exe [2004-4-7 1470296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"MaxGPOScriptWait"= 90 (0x5a)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2003-06-20 15:03 110592 ----a-w- c:\windows\system32\LgNotify.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logoff\0\0]

"Script"=MUS PrintServer Renamed.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logoff\1\0]

"Script"=MUS PrintServer Renamed.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\0\0]

"Script"=MUS PrintServer Renamed.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\1\0]

"Script"=MUS PrintServer Renamed.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\2\0]

"Script"=SecAware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1227242974-989965042-2761722181-26545\Scripts\Logon\3\0]

"Script"=\\MICHGLDESK01.na.int.grp\LDLOGON\Netlogon\LANDesk\iDeploy.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Avaya Modular Messaging\\Common\\ummiddleman.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\cba\\pds.exe"=

"c:\\WINDOWS\\system32\\msgsys.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:10.52.1.152/255.255.255.255:Enabled:TCP\135

"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port

"67:UDP"= 67:UDP:LANDesk® PXE UDP Port

"67:TCP"= 67:TCP:LANDesk® PXE TCP Port

"445:TCP"= 445:TCP:@xpsp2res.dll,-22005

"139:TCP"= 139:TCP:@xpsp2res.dll,-22004

"138:UDP"= 138:UDP:@xpsp2res.dll,-22002

"137:UDP"= 137:UDP:@xpsp2res.dll,-22001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [10/15/2010 8:41 AM 147456]

R2 CISMBIOS;CISMBIOS;c:\windows\system32\drivers\cismbios.sys [9/10/2010 11:25 PM 14848]

R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [1/23/2011 5:57 PM 205312]

R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\LANDesk\LDClient\tmcsvc.exe [1/23/2011 5:57 PM 178688]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [12/16/2009 8:31 PM 222528]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/25/2010 9:07 PM 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/14/2010 6:48 PM 69192]

R2 MHK PC Tune-up;MHK PC Tune-up;c:\program files\Mohawk Industries\Tune Up Suite\Mohawk PC Tune-up Scheduler.exe [7/10/2008 4:46 PM 53248]

R2 SnaDdm;SNA DDM Service;c:\program files\Host Integration Server\system\ddmserv.exe [8/7/2000 9:32 AM 82192]

R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [1/23/2011 5:57 PM 385024]

R2 tracksvc;LANDesk® Power Management Track Service;c:\program files\LANDesk\LDClient\tracksvc.exe [1/23/2011 5:58 PM 66048]

R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [3/11/2010 4:13 PM 14336]

R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [3/11/2010 4:13 PM 5120]

R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [3/11/2010 4:13 PM 6144]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [4/15/2005 1:00 PM 31424]

S2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\LANDesk\LDClient\ProcTriggerSvc.exe [1/23/2011 5:58 PM 143360]

S2 r_server;Remote Administrator Service;r_server.exe /service --> r_server.exe [?]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [3/25/2004 3:05 PM 30775]

S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [5/10/2004 8:17 PM 281600]

S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\windows\system32\drivers\cwbmidi.sys [3/22/2004 10:37 AM 3072]

S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [3/22/2004 10:37 AM 72832]

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [5/10/2004 8:17 PM 55999]

S3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/6/2003 11:23 PM 59328]

S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/3/2004 7:26 PM 80384]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/14/2010 6:48 PM 66536]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [8/17/2001 9:47 AM 9344]

S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [5/10/2004 8:17 PM 701386]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - PROCEXP111

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

.

------- Supplementary Scan -------

.

TCP: {6A2720C9-4721-4AA1-A14F-68CC22F6BB25} = 10.10.1.155,10.11.0.17

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {613FFCA3-8ABC-11D2-A99B-400010000124} - hxxp://midgs17.mohawk.com/core/sskeys.cab

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-14 18:24

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1116)

c:\windows\system32\stlport_vc746.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\LgNotify.dll

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

.

Completion time: 2011-03-14 18:28:43

ComboFix-quarantined-files.txt 2011-03-14 22:28

ComboFix2.txt 2011-03-10 22:16

ComboFix3.txt 2011-03-09 20:19

.

Pre-Run: 20,415,631,360 bytes free

Post-Run: 20,585,340,928 bytes free

.

- - End Of File - - 276218D9A8D996800A4AD15927CEDD3C

Upload was successful

Link to post
Share on other sites

Log is posted below. Though I've found other evidence of infection, including this registry key

HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ Dyixor \ "rundll32.exe "C:\Documents and Settings\cullinank\Local Settings\Application Data\aruqadiru.dll",Startup"

The above key clearly has no legitimate business being there but is not detected by scans. Likewise the .dll file it points to is shown by 'process explorer' to be hooked into a large number of running processes including almost the entire explorer.exe process tree.

I strongly suspect that some virus which is being missed is loading these other virii back after they are being removed.

*****************************************MBAM Log****************************************************************************

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6058

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

3/15/2011 11:34:36 AM

mbam-log-2011-03-15 (11-34-36).txt

Scan type: Quick scan

Objects scanned: 144870

Time elapsed: 12 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.