Jump to content

Malware bytes unable to remove trojan after reboot


kvk

Recommended Posts

Hi,

My laptop is affected with virus. I ran malware bytes and it picked up and shown trojan but not deleted after reboot. Please help. Here is the log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 7529

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

8/22/2011 6:51:06 AM

mbam-log-2011-08-22 (06-51-06).txt

Scan type: Quick scan

Objects scanned: 1

Time elapsed: 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\audiosrv32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\WINDOWS\system32\audiosrv32.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\audiosrv32.dll (Trojan.Tracur.S) -> Delete on reboot.

Link to post
Share on other sites

Hi Please find the log from Malware Bytes after updated version and attached dds.txt.

------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7571

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

8/25/2011 8:50:15 PM

mbam-log-2011-08-25 (20-50-15).txt

Scan type: Quick scan

Objects scanned: 188695

Time elapsed: 12 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\audiosrv32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\WINDOWS\system32\audiosrv32.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\audiosrv32.dll (Trojan.Tracur.S) -> Delete on reboot.

c:\documents and settings\localservice\application data\02000000eb80d46c1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000eb80d46c1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000eb80d46c1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000eb80d46c1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

------------------------------------------------------------------------------------------

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

dds.txt

Link to post
Share on other sites

Hi, Please find the attached logs as requested.

Thanks in Advance... KVK

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

dds.txt

ComboFix.txt

Link to post
Share on other sites

  • Staff

Hi,

Don't attach logs please.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Hi Please find the logs. audiosrv32.dll file was removed from system32 folder after running combofix but it again came back.

------------------------------------------------------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=b7aa20df31d3b046ba78fb6e363d555b

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-02 12:19:34

# local_time=2011-09-01 08:19:34 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=107548

# found=0

# cleaned=0

# scan_time=7947

------------------------------------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.7

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

McAfee VirusScan Enterprise

McAfee AntiSpyware Enterprise Module

McAfee Agent

CSC-ENG-McAfeeReBaseline-1.0.GBL-R1

McAfee Host Intrusion Prevention

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 26

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 10.3.183.5

Adobe Reader X (10.1.0)

````````````````````````````````

Process Check:

objlist.exe by Laurent

McAfee VirusScan Enterprise engineserver.exe

McAfee VirusScan Enterprise vstskmgr.exe

McAfee VirusScan Enterprise mcshield.exe

``````````End of Log````````````

------------------------------------------------------------------------------------------------------------

Hi,

Don't attach logs please.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Please find the logs.

----------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7655

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

9/5/2011 7:53:51 AM

mbam-log-2011-09-05 (07-53-51).txt

Scan type: Quick scan

Objects scanned: 190547

Time elapsed: 40 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\audiosrv32.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\WINDOWS\system32\audiosrv32.dll) Good: () -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\audiosrv32.dll (Trojan.Tracur.S) -> Delete on reboot.

c:\documents and settings\localservice\application data\02000000eb80d46c1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000eb80d46c1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000eb80d46c1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\localservice\application data\02000000eb80d46c1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\02000000eb80d46c1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

----------------------------------------------------------------------------------------------------------------------

ComboFix 11-09-05.02 - vkandem 09/05/2011 8:04.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1369 [GMT -4:00]

Running from: c:\documents and settings\vkandem\Desktop\anti\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: McAfee Host Intrusion Prevention Firewall *Disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

* Resident AV is active

.

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\audiosrv32.dll

c:\windows\system32\HIPIS0e011b5.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))

.

.

2011-09-01 22:00 . 2011-09-01 22:00 -------- d-----w- c:\program files\ESET

2011-08-21 22:28 . 2011-09-05 12:04 -------- d-----w- C:\Quarantine

2011-08-21 19:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-21 19:38 . 2011-08-21 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-21 19:37 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-21 19:37 . 2011-08-26 00:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-21 19:21 . 2011-08-21 19:21 -------- d-----w- c:\program files\Media Player Classic - Home Cinema

2011-08-21 18:04 . 2011-08-21 18:04 -------- d-----w- c:\program files\VideoLAN

2011-08-21 16:17 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-08-21 16:16 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-08-21 16:16 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2011-08-21 16:16 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-08-21 12:30 . 2011-08-21 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks

2011-08-21 12:30 . 2011-08-21 12:30 -------- d-----w- c:\windows\system32\TVUAx

2011-08-20 19:07 . 2011-08-20 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe

2011-08-20 18:59 . 2011-08-20 18:59 -------- d-----w- c:\program files\Adobe Media Player

2011-08-20 18:50 . 2011-08-20 18:50 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-08-20 18:29 . 2011-08-20 18:29 0 ---ha-w- c:\windows\system32\gavinsmqtb.tmp

2011-08-19 22:29 . 2008-04-14 04:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys

2011-08-19 22:29 . 2008-04-14 04:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2011-08-19 22:29 . 2008-04-14 04:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys

2011-08-19 22:29 . 2008-04-14 04:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2011-08-19 22:29 . 2008-04-14 09:42 16384 ----a-w- c:\windows\system32\ipsink.ax

2011-08-19 22:29 . 2008-04-14 04:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2011-08-19 22:29 . 2008-04-14 04:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2011-08-19 22:29 . 2008-04-14 04:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys

2011-08-19 22:29 . 2008-04-14 04:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2011-08-19 22:28 . 2008-04-14 04:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2011-08-19 22:28 . 2008-04-14 04:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2011-08-19 22:28 . 2008-04-14 04:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys

2011-08-19 22:28 . 2008-04-14 04:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2011-08-19 22:28 . 2008-04-14 04:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys

2011-08-19 22:28 . 2008-04-14 04:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2011-08-19 22:28 . 2008-04-14 09:42 91136 ----a-w- c:\windows\system32\kswdmcap.ax

2011-08-19 22:28 . 2008-04-14 09:42 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-08-19 22:28 . 2008-04-14 09:42 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-08-19 22:28 . 2008-04-14 09:42 20992 ----a-w- c:\windows\system32\dshowext.ax

2011-08-19 22:28 . 2008-04-14 09:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-08-19 22:28 . 2008-04-14 09:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-08-19 14:45 . 2011-08-20 19:02 -------- d-----w- c:\program files\Common Files\Adobe

2011-08-18 22:35 . 2011-08-26 13:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-08-18 13:32 . 2011-08-18 13:32 1178112 ----a-w- c:\windows\system32\mfeotlk32.exe

2011-08-18 13:32 . 2011-08-18 13:32 1178112 ----a-w- c:\windows\system32\extmgr32.exe

2011-08-17 21:15 . 2011-08-17 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2011-08-17 21:14 . 2011-08-17 21:14 -------- d-----w- c:\program files\Citrix

2011-08-17 17:25 . 2008-04-14 09:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2011-08-17 17:25 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-08-17 17:24 . 2008-04-14 04:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2011-08-17 17:24 . 2008-04-14 04:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2011-08-17 17:24 . 2008-04-14 04:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-08-17 17:24 . 2008-04-14 04:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-08-17 12:11 . 2011-08-17 12:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-17 00:10 . 2005-12-19 04:00 15360 ----a-w- c:\windows\system32\srvany.exe

2011-08-17 00:08 . 2011-09-05 12:01 -------- d-----w- c:\windows\system32\CatRoot2

2011-08-16 23:43 . 2011-08-16 23:43 -------- d-----w- c:\program files\Common Files\Reflex

2011-08-16 23:42 . 2011-08-16 23:43 -------- d-----w- c:\program files\CheckPoint

2011-08-15 20:36 . 2011-09-05 11:07 -------- d-----w- C:\bPowerTemp

2011-08-15 19:41 . 2011-03-30 19:16 173362 ----a-w- C:\Run_Intelliboot.exe

2011-08-15 19:37 . 2011-08-15 19:37 -------- d-----w- c:\windows\system32\GroupPolicy_Backup-2011815-153712

2011-08-15 18:54 . 2011-08-15 18:54 -------- d-----w- c:\program files\cscmarimba

2011-08-15 18:51 . 2011-09-02 00:41 -------- d-----w- c:\documents and settings\vkandem

2011-08-15 18:44 . 2011-08-15 18:44 -------- d-----w- c:\windows\Internet Logs

2011-08-15 18:30 . 2011-08-15 18:30 -------- d-----w- c:\program files\Common Files\Check Point

2011-08-15 18:30 . 2011-08-15 18:30 -------- d-----w- c:\program files\Pointsec

2011-08-15 18:29 . 2011-08-15 18:30 2097152 --sh--r- C:\PROT_INS.SYS

2011-08-15 18:29 . 2011-08-16 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Pointsec

2011-08-15 18:22 . 2009-11-02 22:14 -------- d-----w- c:\windows\system32\config\systemprofile\SametimeMeetings

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-26 13:22 . 2010-06-03 06:41 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-05 05:56 . 2010-11-02 05:40 136512 ----a-w- c:\windows\system32\KevlarSigs.dll

2010-10-12 20:33 . 2010-10-12 20:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2010-10-12 22:15 . 2010-10-12 22:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2010-10-12 20:37 . 2010-10-12 20:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2010-10-12 20:35 . 2010-10-12 20:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2010-10-12 20:34 . 2010-10-12 20:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2010-10-12 20:32 . 2010-10-12 20:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2010-10-12 20:35 . 2010-10-12 20:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2010-10-12 20:34 . 2010-10-12 20:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2010-07-14 16:42 . 2010-07-14 16:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2010-10-12 20:37 . 2010-10-12 20:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17DA3CAA-5ABB-4203-950E-77C6C7AB7193}]

c:\windows\system32\audiosrv32.dll [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\File Encryption Encrypted File]

@="{DFD0D93C-5C34-4db6-9760-F7A788D89B8E}"

[HKEY_CLASSES_ROOT\CLSID\{DFD0D93C-5C34-4db6-9760-F7A788D89B8E}]

2010-09-05 21:05 517536 ----a-w- c:\program files\CheckPoint\File Encryption\Program\pmeshe.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2005-11-11 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2005-11-11 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-11-11 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-11-11 455168]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-11-11 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-11-11 126976]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-11 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 512000]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-16 425984]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-16 143360]

"TpShocks"="TpShocks.exe" [2005-01-24 106496]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 94208]

"SupportSoft_AMER_CSCi"="c:\program files\SupportSoft_AMER_CSCi\bin\sprtcmd.exe" [2008-10-23 202016]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-05 124224]

"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2010-06-15 979104]

"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-07-09 70144]

"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-02-22 858672]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"DN4TRAY"="c:\program files\CheckPoint\Tray\DNTray.exe" [2011-01-11 730640]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"LogonType"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWebServices"= 1 (0x1)

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"GreyMSIAds"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisknetClient]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\vkandem\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

R0 DNPFW;Disknet Pro Device Firewall Driver;c:\windows\system32\drivers\DNPFW.sys [1/11/2011 4:39 PM 37288]

R0 dvrem;Check Point ESME Client EPM Driver;c:\windows\system32\drivers\dvrem.sys [1/11/2011 4:38 PM 63528]

R0 File Encryption Filter Driver;File Encryption Filter Driver;c:\windows\system32\drivers\psfilter.sys [9/5/2010 5:02 PM 111744]

R0 File Encryption Recognizer Driver;File Encryption Recognizer Driver;c:\windows\system32\drivers\psrec.sys [9/5/2010 5:02 PM 35712]

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2/22/2010 2:32 PM 224816]

R0 PSG;Check Point Media Encryption PSG;c:\windows\system32\drivers\psg.sys [1/11/2011 4:38 PM 56232]

R0 rmm;Check Point ESME Client RMM Driver;c:\windows\system32\drivers\rmm.sys [1/11/2011 4:38 PM 26152]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 12:51 PM 65584]

R1 rxAES100;Reflex Magnetics FIPS140-2 Driver;c:\windows\system32\drivers\rxaes100.sys [1/11/2011 4:14 PM 46592]

R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2/9/2010 4:58 PM 36957]

R2 DisknetClient;Check Point ESME Client Service;c:\program files\CheckPoint\Pointsec Protector Client\disknet.exe [1/11/2011 4:39 PM 1402376]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [6/15/2010 11:50 AM 1498224]

R2 File Encryption Driver;File Encryption Driver;c:\windows\system32\drivers\psfilenc.sys [9/5/2010 5:02 PM 126720]

R2 File Encryption Policy Service;File Encryption Policy Service;c:\program files\CheckPoint\File Encryption\Program\pmepol.exe [9/5/2010 5:05 PM 600480]

R2 FSCLM Driver;FSCLM Driver;c:\windows\system32\drivers\fsclm.sys [9/5/2010 5:01 PM 97760]

R2 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [11/2/2010 1:40 AM 35696]

R2 hips32;McAfee HIPSCore Service ;c:\windows\system32\extmgr32.exe [8/18/2011 9:32 AM 1178112]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2/4/2011 8:07 PM 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/2/2010 1:25 AM 69192]

R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2/22/2010 2:33 PM 649776]

R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2/22/2010 2:33 PM 231984]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [10/23/2008 1:36 PM 1213728]

R2 sprtsvc_supportsoft_amer_csci;SupportSoft Sprocket Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe [10/23/2008 1:36 PM 202016]

R2 tgsrvc_supportsoft_amer_csci;SupportSoft Repair Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe [10/23/2008 1:36 PM 148768]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [11/2/2010 1:39 AM 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [11/2/2010 1:40 AM 107960]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [11/2/2010 1:40 AM 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [11/2/2010 1:40 AM 35552]

S0 KAEON;KAEon CD/DVD Writing Filter Driver;c:\windows\system32\drivers\kaeon.sys [1/11/2011 4:38 PM 35624]

S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/22/2008 4:29 AM 10880]

S3 File Encryption Logging Service;File Encryption Logging Service;c:\program files\CheckPoint\File Encryption\Program\pmelog.exe [9/5/2010 5:05 PM 671648]

S3 File Encryption Service;File Encryption Service;c:\program files\CheckPoint\File Encryption\Program\pmefsvc.exe [9/5/2010 5:04 PM 488864]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [11/2/2010 1:39 AM 44680]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/21/2011 3:38 PM 41272]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/2/2010 1:25 AM 67240]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]

S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [11/22/2008 4:29 AM 4608]

S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [11/22/2008 10:36 AM 15744]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [11/22/2008 4:29 AM 22528]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/22/2008 10:33 AM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{12A30BC0-D669-4B11-9C54-D6E16560A69B}]

2008-04-14 10:42 78848 ----a-w- c:\windows\system32\msiexec.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

2011-04-25 15:51 124928 ----a-w- c:\windows\system32\advpack.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F88A5DAF-F376-4C6F-898A-FF57E45A340E}]

2008-04-14 10:42 78848 ----a-w- c:\windows\system32\msiexec.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-23 c:\windows\Tasks\AdobeAAMUpdater-1.0-VKANDEM-1-vkandem.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-08-20 07:44]

.

2011-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-891307005-2234620177-1106520001-1009Core.job

- c:\documents and settings\vkandem\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-19 22:15]

.

2011-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-891307005-2234620177-1106520001-1009UA.job

- c:\documents and settings\vkandem\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-19 22:15]

.

2009-11-02 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig

mStart Page = hxxp://portal.csc.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm

TCP: DhcpNameServer = 192.168.0.1

.

.

------- File Associations -------

.

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-05 08:35

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-891307005-2234620177-1106520001-1009\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1500)

c:\windows\system32\pssogina.dll

c:\windows\system32\LogonAgentAPI.dll

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

.

- - - - - - - > 'lsass.exe'(1556)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

.

- - - - - - - > 'explorer.exe'(4596)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\File Encryption\Program\pmeshe.dll

c:\program files\CheckPoint\File Encryption\Program\fsclm.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

.

- - - - - - - > 'csrss.exe'(1476)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\mfeotlk32.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\System32\TPHDEXLG.EXE

c:\windows\system32\wdfmgr.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\windows\system32\TpShocks.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

c:\program files\Citrix\ICA Client\wfcrun32.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.6\data\sum.exe

c:\program files\McAfee\VirusScan Enterprise\mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\cscmarimba\tuner\lib\minituner.exe

.

**************************************************************************

.

Completion time: 2011-09-05 08:46:32 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-05 12:46

ComboFix2.txt 2011-09-02 01:03

ComboFix3.txt 2011-08-29 03:45

.

Pre-Run: 45,495,140,352 bytes free

Post-Run: 45,484,605,440 bytes free

.

- - End Of File - - 084EC93B5AB562A6A575712BBCF180D7

----------------------------------------------------------------------------------------------------------------------

Update MBAM, run a Quick Scan, and post its log.

Next, grab a fresh copy of ComboFix, run it, and post its log.

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17DA3CAA-5ABB-4203-950E-77C6C7AB7193}]
File::
c:\windows\system32\audiosrv32.dll

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Please find the logs.

----------------------------------------------------------------------------------------------------------------------

ComboFix 11-09-07.04 - vkandem 09/07/2011 18:01:12.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1324 [GMT -4:00]

Running from: c:\documents and settings\vkandem\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\vkandem\Desktop\CFScript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: McAfee Host Intrusion Prevention Firewall *Disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

* Resident AV is active

.

.

FILE ::

"c:\windows\system32\audiosrv32.dll"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\LocalService\Application Data\02000000eb80d46c1406C.manifest

c:\documents and settings\LocalService\Application Data\02000000eb80d46c1406O.manifest

c:\documents and settings\LocalService\Application Data\02000000eb80d46c1406P.manifest

c:\documents and settings\LocalService\Application Data\02000000eb80d46c1406S.manifest

c:\documents and settings\vkandem\gavinsmqtb.tmp

c:\windows\system32\audiosrv32.dll

c:\windows\system32\HIPIS0e011b5.dll

c:\windows\system32\TPAPSLOG.LOG

c:\windows\system32\TPHDLOG0.LOG

.

.

((((((((((((((((((((((((( Files Created from 2011-08-07 to 2011-09-07 )))))))))))))))))))))))))))))))

.

.

2011-09-05 14:00 . 2011-09-05 14:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-09-05 13:12 . 2011-09-05 13:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2011-09-05 13:09 . 2011-09-05 13:13 -------- dc-h--w- c:\windows\ie8

2011-09-05 13:07 . 2011-09-05 13:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2011-09-05 13:06 . 2011-09-05 13:07 -------- d-----w- c:\program files\Google

2011-09-01 22:00 . 2011-09-01 22:00 -------- d-----w- c:\program files\ESET

2011-08-21 22:28 . 2011-09-07 22:01 -------- d-----w- C:\Quarantine

2011-08-21 19:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-21 19:38 . 2011-08-21 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-21 19:37 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-21 19:37 . 2011-08-26 00:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-21 19:21 . 2011-08-21 19:21 -------- d-----w- c:\program files\Media Player Classic - Home Cinema

2011-08-21 18:04 . 2011-08-21 18:04 -------- d-----w- c:\program files\VideoLAN

2011-08-21 16:17 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-08-21 16:16 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-08-21 16:16 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2011-08-21 16:16 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-08-21 12:30 . 2011-08-21 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks

2011-08-21 12:30 . 2011-08-21 12:30 -------- d-----w- c:\windows\system32\TVUAx

2011-08-20 19:07 . 2011-08-20 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe

2011-08-20 18:59 . 2011-08-20 18:59 -------- d-----w- c:\program files\Adobe Media Player

2011-08-20 18:50 . 2011-08-20 18:50 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-08-20 18:29 . 2011-08-20 18:29 0 ---ha-w- c:\windows\system32\gavinsmqtb.tmp

2011-08-19 22:29 . 2008-04-14 04:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys

2011-08-19 22:29 . 2008-04-14 04:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2011-08-19 22:29 . 2008-04-14 04:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys

2011-08-19 22:29 . 2008-04-14 04:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2011-08-19 22:29 . 2008-04-14 09:42 16384 ----a-w- c:\windows\system32\ipsink.ax

2011-08-19 22:29 . 2008-04-14 04:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2011-08-19 22:29 . 2008-04-14 04:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2011-08-19 22:29 . 2008-04-14 04:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys

2011-08-19 22:29 . 2008-04-14 04:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2011-08-19 22:28 . 2008-04-14 04:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2011-08-19 22:28 . 2008-04-14 04:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2011-08-19 22:28 . 2008-04-14 04:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys

2011-08-19 22:28 . 2008-04-14 04:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2011-08-19 22:28 . 2008-04-14 04:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys

2011-08-19 22:28 . 2008-04-14 04:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2011-08-19 22:28 . 2008-04-14 09:42 91136 ----a-w- c:\windows\system32\kswdmcap.ax

2011-08-19 22:28 . 2008-04-14 09:42 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-08-19 22:28 . 2008-04-14 09:42 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-08-19 22:28 . 2008-04-14 09:42 20992 ----a-w- c:\windows\system32\dshowext.ax

2011-08-19 22:28 . 2008-04-14 09:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-08-19 22:28 . 2008-04-14 09:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-08-19 14:45 . 2011-08-20 19:02 -------- d-----w- c:\program files\Common Files\Adobe

2011-08-18 22:35 . 2011-08-26 13:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-08-18 13:32 . 2011-08-18 13:32 1178112 ----a-w- c:\windows\system32\mfeotlk32.exe

2011-08-18 13:32 . 2011-08-18 13:32 1178112 ----a-w- c:\windows\system32\extmgr32.exe

2011-08-17 21:15 . 2011-08-17 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2011-08-17 21:14 . 2011-08-17 21:14 -------- d-----w- c:\program files\Citrix

2011-08-17 17:25 . 2008-04-14 09:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2011-08-17 17:25 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-08-17 17:24 . 2008-04-14 04:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2011-08-17 17:24 . 2008-04-14 04:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2011-08-17 17:24 . 2008-04-14 04:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-08-17 17:24 . 2008-04-14 04:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-08-17 12:11 . 2011-08-17 12:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-17 00:10 . 2005-12-19 04:00 15360 ----a-w- c:\windows\system32\srvany.exe

2011-08-17 00:08 . 2011-09-07 22:32 -------- d-----w- c:\windows\system32\CatRoot2

2011-08-16 23:43 . 2011-08-16 23:43 -------- d-----w- c:\program files\Common Files\Reflex

2011-08-16 23:42 . 2011-08-16 23:43 -------- d-----w- c:\program files\CheckPoint

2011-08-15 20:36 . 2011-09-05 11:07 -------- d-----w- C:\bPowerTemp

2011-08-15 19:41 . 2011-03-30 19:16 173362 ----a-w- C:\Run_Intelliboot.exe

2011-08-15 19:37 . 2011-08-15 19:37 -------- d-----w- c:\windows\system32\GroupPolicy_Backup-2011815-153712

2011-08-15 18:54 . 2011-08-15 18:54 -------- d-----w- c:\program files\cscmarimba

2011-08-15 18:51 . 2011-09-07 22:23 -------- d-----w- c:\documents and settings\vkandem

2011-08-15 18:44 . 2011-08-15 18:44 -------- d-----w- c:\windows\Internet Logs

2011-08-15 18:30 . 2011-08-15 18:30 -------- d-----w- c:\program files\Common Files\Check Point

2011-08-15 18:30 . 2011-08-15 18:30 -------- d-----w- c:\program files\Pointsec

2011-08-15 18:29 . 2011-08-15 18:30 2097152 --sh--r- C:\PROT_INS.SYS

2011-08-15 18:29 . 2011-08-16 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Pointsec

2011-08-15 18:22 . 2009-11-02 22:14 -------- d-----w- c:\windows\system32\config\systemprofile\SametimeMeetings

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-26 13:22 . 2010-06-03 06:41 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-05 05:56 . 2010-11-02 05:40 136512 ----a-w- c:\windows\system32\KevlarSigs.dll

2010-10-12 20:33 . 2010-10-12 20:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2010-10-12 22:15 . 2010-10-12 22:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2010-10-12 20:37 . 2010-10-12 20:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2010-10-12 20:35 . 2010-10-12 20:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2010-10-12 20:34 . 2010-10-12 20:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2010-10-12 20:32 . 2010-10-12 20:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2010-10-12 20:35 . 2010-10-12 20:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2010-10-12 20:34 . 2010-10-12 20:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2010-07-14 16:42 . 2010-07-14 16:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2010-10-12 20:37 . 2010-10-12 20:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\File Encryption Encrypted File]

@="{DFD0D93C-5C34-4db6-9760-F7A788D89B8E}"

[HKEY_CLASSES_ROOT\CLSID\{DFD0D93C-5C34-4db6-9760-F7A788D89B8E}]

2010-09-05 21:05 517536 ----a-w- c:\program files\CheckPoint\File Encryption\Program\pmeshe.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-05 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2005-11-11 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2005-11-11 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-11-11 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-11-11 455168]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-11-11 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-11-11 126976]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-11 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 512000]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-16 425984]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-16 143360]

"TpShocks"="TpShocks.exe" [2005-01-24 106496]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 94208]

"SupportSoft_AMER_CSCi"="c:\program files\SupportSoft_AMER_CSCi\bin\sprtcmd.exe" [2008-10-23 202016]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-05 124224]

"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2010-06-15 979104]

"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-07-09 70144]

"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-02-22 858672]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]

"DN4TRAY"="c:\program files\CheckPoint\Tray\DNTray.exe" [2011-01-11 730640]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"LogonType"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWebServices"= 1 (0x1)

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"GreyMSIAds"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisknetClient]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\vkandem\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

.

R0 DNPFW;Disknet Pro Device Firewall Driver;c:\windows\system32\drivers\DNPFW.sys [1/11/2011 4:39 PM 37288]

R0 dvrem;Check Point ESME Client EPM Driver;c:\windows\system32\drivers\dvrem.sys [1/11/2011 4:38 PM 63528]

R0 File Encryption Filter Driver;File Encryption Filter Driver;c:\windows\system32\drivers\psfilter.sys [9/5/2010 5:02 PM 111744]

R0 File Encryption Recognizer Driver;File Encryption Recognizer Driver;c:\windows\system32\drivers\psrec.sys [9/5/2010 5:02 PM 35712]

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2/22/2010 2:32 PM 224816]

R0 PSG;Check Point Media Encryption PSG;c:\windows\system32\drivers\psg.sys [1/11/2011 4:38 PM 56232]

R0 rmm;Check Point ESME Client RMM Driver;c:\windows\system32\drivers\rmm.sys [1/11/2011 4:38 PM 26152]

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/22/2008 4:29 AM 10880]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 12:51 PM 65584]

R1 rxAES100;Reflex Magnetics FIPS140-2 Driver;c:\windows\system32\drivers\rxaes100.sys [1/11/2011 4:14 PM 46592]

R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2/9/2010 4:58 PM 36957]

R2 DisknetClient;Check Point ESME Client Service;c:\program files\CheckPoint\Pointsec Protector Client\disknet.exe [1/11/2011 4:39 PM 1402376]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [6/15/2010 11:50 AM 1498224]

R2 File Encryption Driver;File Encryption Driver;c:\windows\system32\drivers\psfilenc.sys [9/5/2010 5:02 PM 126720]

R2 File Encryption Policy Service;File Encryption Policy Service;c:\program files\CheckPoint\File Encryption\Program\pmepol.exe [9/5/2010 5:05 PM 600480]

R2 FSCLM Driver;FSCLM Driver;c:\windows\system32\drivers\fsclm.sys [9/5/2010 5:01 PM 97760]

R2 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [11/2/2010 1:40 AM 35696]

R2 hips32;McAfee HIPSCore Service ;c:\windows\system32\extmgr32.exe [8/18/2011 9:32 AM 1178112]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2/4/2011 8:07 PM 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/2/2010 1:25 AM 69192]

R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2/22/2010 2:33 PM 649776]

R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2/22/2010 2:33 PM 231984]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [10/23/2008 1:36 PM 1213728]

R2 sprtsvc_supportsoft_amer_csci;SupportSoft Sprocket Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe [10/23/2008 1:36 PM 202016]

R2 tgsrvc_supportsoft_amer_csci;SupportSoft Repair Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe [10/23/2008 1:36 PM 148768]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [11/2/2010 1:39 AM 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [11/2/2010 1:40 AM 107960]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [11/2/2010 1:40 AM 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [11/2/2010 1:40 AM 35552]

S0 KAEON;KAEon CD/DVD Writing Filter Driver;c:\windows\system32\drivers\kaeon.sys [1/11/2011 4:38 PM 35624]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 9:07 AM 135664]

S3 File Encryption Logging Service;File Encryption Logging Service;c:\program files\CheckPoint\File Encryption\Program\pmelog.exe [9/5/2010 5:05 PM 671648]

S3 File Encryption Service;File Encryption Service;c:\program files\CheckPoint\File Encryption\Program\pmefsvc.exe [9/5/2010 5:04 PM 488864]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [11/2/2010 1:39 AM 44680]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 9:07 AM 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/21/2011 3:38 PM 41272]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/2/2010 1:25 AM 67240]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]

S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [11/22/2008 4:29 AM 4608]

S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [11/22/2008 10:36 AM 15744]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [11/22/2008 4:29 AM 22528]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/22/2008 10:33 AM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{12A30BC0-D669-4B11-9C54-D6E16560A69B}]

2008-04-14 10:42 78848 ----a-w- c:\windows\system32\msiexec.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F88A5DAF-F376-4C6F-898A-FF57E45A340E}]

2008-04-14 10:42 78848 ----a-w- c:\windows\system32\msiexec.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-23 c:\windows\Tasks\AdobeAAMUpdater-1.0-VKANDEM-1-vkandem.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-08-20 07:44]

.

2011-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 13:07]

.

2011-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 13:07]

.

2011-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-891307005-2234620177-1106520001-1009Core.job

- c:\documents and settings\vkandem\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-19 22:15]

.

2011-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-891307005-2234620177-1106520001-1009UA.job

- c:\documents and settings\vkandem\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-19 22:15]

.

2009-11-02 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]

.

2011-09-07 c:\windows\Tasks\User_Feed_Synchronization-{A4EDC65D-CB01-43CB-B7FF-F1A4C05DF9E2}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm

TCP: DhcpNameServer = 192.168.0.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-07 18:49

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\system32\TPAPSLOG.LOG 192 bytes

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-891307005-2234620177-1106520001-1009\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1492)

c:\windows\system32\pssogina.dll

c:\windows\system32\LogonAgentAPI.dll

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

.

- - - - - - - > 'lsass.exe'(1548)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

.

- - - - - - - > 'explorer.exe'(3332)

c:\windows\system32\SynTPFcs.dll

c:\program files\CheckPoint\File Encryption\Program\pmeshe.dll

c:\program files\CheckPoint\File Encryption\Program\fsclm.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\system32\webcheck.dll

.

- - - - - - - > 'csrss.exe'(1468)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\mfeotlk32.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\System32\TPHDEXLG.EXE

c:\windows\system32\wdfmgr.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\program files\cscmarimba\tuner\.marimba\cscmarimba\ch.6\data\sum.exe

c:\program files\cscmarimba\tuner\lib\minituner.exe

c:\windows\system32\TpShocks.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

c:\program files\Citrix\ICA Client\wfcrun32.exe

c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\McAfee\VirusScan Enterprise\mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

.

**************************************************************************

.

Completion time: 2011-09-07 18:58:15 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-07 22:58

ComboFix2.txt 2011-09-05 12:46

ComboFix3.txt 2011-09-02 01:03

ComboFix4.txt 2011-08-29 03:45

.

Pre-Run: 43,778,142,208 bytes free

Post-Run: 45,204,762,624 bytes free

.

- - End Of File - - D423153499FDF7343B96FA811962666E

----------------------------------------------------------------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by vkandem at 19:25:33 on 2011-09-07

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1296 [GMT -4:00]

.

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: McAfee Host Intrusion Prevention Firewall *Disabled*

.

============== Running Processes ===============

.

C:\Program Files\CheckPoint\File Encryption\Program\pmepol.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Prot_srv.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\cscmarimba\tuner\Tuner.exe

C:\Program Files\CheckPoint\Pointsec Protector Client\disknet.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\WINDOWS\system32\extmgr32.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\WINDOWS\system32\mfeotlk32.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\pstartSr.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\cscmarimba\tuner\.marimba\cscmarimba\ch.6\data\sum.exe

C:\Program Files\cscmarimba\tuner\lib\minituner.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtcmd.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe

C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\CheckPoint\Tray\DNTray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\WINDOWS\system32\rundll32.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [TpShocks] TpShocks.exe

mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe

mRun: [supportSoft_AMER_CSCi] "c:\program files\supportsoft_amer_csci\bin\sprtcmd.exe" /P SupportSoft_AMER_CSCi

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"

mRun: [Check Point Endpoint Tray Application] c:\program files\common files\check point\uiframework\cptray.exe

mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [DN4TRAY] "c:\program files\checkpoint\tray\DNTray.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: GreyMSIAds = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: LogonType = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244860886046

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://asia-ml05.asia.csc.com/dwa8W.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{EB310C1B-5101-4C68-B169-DBA139A1E6BC} : DhcpNameServer = 192.168.0.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Notify: igfxcui - igfxsrvc.dll

mASetup: {12A30BC0-D669-4B11-9C54-D6E16560A69B} - msiexec.exe /fu {12A30BC0-D669-4B11-9C54-D6E16560A69B} /quiet

mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

mASetup: {F88A5DAF-F376-4C6F-898A-FF57E45A340E} - msiexec.exe /fu {F88A5DAF-F376-4C6F-898A-FF57E45A340E} /quiet

mASetup: >{C9A8D376-2D89-4556-8E9F-A42EEFBDD995} - "c:\program files\internet explorer\hkcu.exe" /s

.

============= SERVICES / DRIVERS ===============

.

R0 DNPFW;Disknet Pro Device Firewall Driver;c:\windows\system32\drivers\DNPFW.sys [2011-1-11 37288]

R0 dvrem;Check Point ESME Client EPM Driver;c:\windows\system32\drivers\dvrem.sys [2011-1-11 63528]

R0 File Encryption Filter Driver;File Encryption Filter Driver;c:\windows\system32\drivers\psfilter.sys [2010-9-5 111744]

R0 File Encryption Recognizer Driver;File Encryption Recognizer Driver;c:\windows\system32\drivers\psrec.sys [2010-9-5 35712]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-11-24 337560]

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2010-2-22 224816]

R0 PSG;Check Point Media Encryption PSG;c:\windows\system32\drivers\psg.sys [2011-1-11 56232]

R0 rmm;Check Point ESME Client RMM Driver;c:\windows\system32\drivers\rmm.sys [2011-1-11 26152]

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-11-22 10880]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]

R1 rxAES100;Reflex Magnetics FIPS140-2 Driver;c:\windows\system32\drivers\rxaes100.sys [2011-1-11 46592]

R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2010-2-9 36957]

R2 DisknetClient;Check Point ESME Client Service;c:\program files\checkpoint\pointsec protector client\disknet.exe [2011-1-11 1402376]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2010-6-15 1498224]

R2 File Encryption Driver;File Encryption Driver;c:\windows\system32\drivers\psfilenc.sys [2010-9-5 126720]

R2 File Encryption Policy Service;File Encryption Policy Service;c:\program files\checkpoint\file encryption\program\pmepol.exe [2010-9-5 600480]

R2 FSCLM Driver;FSCLM Driver;c:\windows\system32\drivers\fsclm.sys [2010-9-5 97760]

R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2010-11-2 35696]

R2 hips32;McAfee HIPSCore Service ;c:\windows\system32\extmgr32.exe [2011-8-18 1178112]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2011-2-4 22816]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2011-2-4 147984]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2011-2-4 66880]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-2 69192]

R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2010-2-22 649776]

R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2010-2-22 231984]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-10-23 1213728]

R2 sprtsvc_supportsoft_amer_csci;SupportSoft Sprocket Service (supportsoft_amer_csci);c:\program files\supportsoft_amer_csci\bin\sprtsvc.exe [2008-10-23 202016]

R2 tgsrvc_supportsoft_amer_csci;SupportSoft Repair Service (supportsoft_amer_csci);c:\program files\supportsoft_amer_csci\bin\tgsrvc.exe [2008-10-23 148768]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2010-11-2 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2010-11-2 107960]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2010-11-2 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2010-11-2 35552]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-24 91992]

S0 KAEON;KAEon CD/DVD Writing Filter Driver;c:\windows\system32\drivers\kaeon.sys [2011-1-11 35624]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 135664]

S3 File Encryption Logging Service;File Encryption Logging Service;c:\program files\checkpoint\file encryption\program\pmelog.exe [2010-9-5 671648]

S3 File Encryption Service;File Encryption Service;c:\program files\checkpoint\file encryption\program\pmefsvc.exe [2010-9-5 488864]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2010-11-2 44680]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-21 41272]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-24 43224]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-2 67240]

S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2008-11-22 4608]

S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-11-22 15744]

S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2008-11-22 22528]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-11-22 14336]

.

=============== File Associations ===============

.

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-09-05 13:41:18 -------- d-sh--w- c:\documents and settings\vkandem\IECompatCache

2011-09-05 13:40:50 -------- d-sh--w- c:\documents and settings\vkandem\PrivacIE

2011-09-05 13:19:29 -------- d-sh--w- c:\documents and settings\vkandem\IETldCache

2011-09-05 13:09:54 -------- dc-h--w- c:\windows\ie8

2011-09-02 13:51:48 -------- d-----w- c:\documents and settings\vkandem\application data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-09-01 22:00:59 -------- d-----w- c:\program files\ESET

2011-08-29 02:48:26 -------- d-sha-r- C:\cmdcons

2011-08-29 02:42:57 256000 ----a-w- c:\windows\PEV.exe

2011-08-29 02:42:57 208896 ----a-w- c:\windows\MBR.exe

2011-08-29 02:42:56 98816 ----a-w- c:\windows\sed.exe

2011-08-29 02:42:56 518144 ----a-w- c:\windows\SWREG.exe

2011-08-26 13:23:27 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-08-25 23:06:40 573440 ----a-w- c:\program files\mozilla firefox\tweaking.com - windows repair\Repair_Windows.exe

2011-08-25 23:06:39 36864 ----a-w- c:\program files\mozilla firefox\tweaking.com - windows repair\files\regini.exe

2011-08-25 23:06:39 290304 ----a-w- c:\program files\mozilla firefox\tweaking.com - windows repair\files\subinacl.exe

2011-08-23 19:22:30 -------- d-----w- c:\documents and settings\vkandem\application data\Adobe Mini Bridge CS5

2011-08-23 19:22:27 -------- d-----w- c:\documents and settings\vkandem\application data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2011-08-22 02:03:49 -------- d-----w- c:\documents and settings\vkandem\CPInfo

2011-08-21 22:28:50 -------- d-----w- C:\Quarantine

2011-08-21 19:38:18 -------- d-----w- c:\documents and settings\vkandem\application data\Malwarebytes

2011-08-21 19:38:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-21 19:38:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-08-21 19:37:56 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-21 19:37:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-21 19:21:35 -------- d-----w- c:\program files\Media Player Classic - Home Cinema

2011-08-21 18:04:29 -------- d-----w- c:\program files\VideoLAN

2011-08-21 16:17:02 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-08-21 16:16:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-08-21 16:16:42 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2011-08-21 16:16:42 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-08-21 12:30:53 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\TVU Networks

2011-08-21 12:30:53 -------- d-----w- c:\documents and settings\all users\application data\TVU Networks

2011-08-21 12:30:52 -------- d-----w- c:\documents and settings\vkandem\LocalLow

2011-08-21 12:30:04 -------- d-----w- c:\windows\system32\TVUAx

2011-08-20 19:07:07 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe

2011-08-20 18:29:40 0 ---ha-w- c:\windows\system32\gavinsmqtb.tmp

2011-08-19 22:29:20 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys

2011-08-19 22:29:20 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2011-08-19 22:29:10 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys

2011-08-19 22:29:10 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2011-08-19 22:29:07 16384 ----a-w- c:\windows\system32\ipsink.ax

2011-08-19 22:29:07 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2011-08-19 22:29:07 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2011-08-19 22:29:01 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys

2011-08-19 22:29:01 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2011-08-19 22:28:57 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2011-08-19 22:28:57 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2011-08-19 22:28:54 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys

2011-08-19 22:28:54 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2011-08-19 22:28:50 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys

2011-08-19 22:28:50 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2011-08-19 22:28:02 91136 ----a-w- c:\windows\system32\kswdmcap.ax

2011-08-19 22:28:02 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-08-19 22:28:01 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-08-19 22:28:01 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-08-19 22:28:01 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-08-19 22:28:01 20992 ----a-w- c:\windows\system32\dshowext.ax

2011-08-19 22:26:09 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\Temp

2011-08-19 22:26:00 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\Facebook

2011-08-19 22:16:03 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\Google

2011-08-18 22:35:18 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-08-18 13:32:19 1178112 ----a-w- c:\windows\system32\mfeotlk32.exe

2011-08-18 13:32:15 1178112 ----a-w- c:\windows\system32\extmgr32.exe

2011-08-17 21:15:35 -------- d-----w- c:\documents and settings\all users\application data\Citrix

2011-08-17 21:15:08 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\Citrix

2011-08-17 21:15:08 -------- d-----w- c:\documents and settings\vkandem\application data\ICAClient

2011-08-17 21:14:36 -------- d-----w- c:\program files\Citrix

2011-08-17 17:25:14 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2011-08-17 17:25:14 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-08-17 17:24:42 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2011-08-17 17:24:42 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2011-08-17 17:24:20 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-08-17 17:24:20 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-08-17 12:11:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-17 02:13:59 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\Mozilla

2011-08-17 02:04:49 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\Adobe

2011-08-17 00:10:16 15360 ----a-w- c:\windows\system32\srvany.exe

2011-08-17 00:08:45 -------- d-----w- c:\windows\system32\CatRoot2

2011-08-16 23:43:03 -------- d-----w- c:\program files\common files\Reflex

2011-08-16 23:42:24 -------- d-----w- c:\program files\CheckPoint

2011-08-16 22:06:26 -------- d-----w- c:\documents and settings\vkandem\local settings\application data\PCHealth

2011-08-15 20:36:55 -------- d-----w- C:\bPowerTemp

2011-08-15 19:41:20 173362 ----a-w- C:\Run_Intelliboot.exe

2011-08-15 19:37:12 -------- d-----w- c:\windows\system32\GroupPolicy_Backup-2011815-153712

2011-08-15 18:54:40 -------- d-----w- c:\program files\cscmarimba

2011-08-15 18:44:26 -------- d-----w- c:\windows\Internet Logs

2011-08-15 18:30:45 -------- d-----w- c:\program files\Pointsec

2011-08-15 18:30:45 -------- d-----w- c:\program files\common files\Check Point

2011-08-15 18:29:58 2097152 --sh--r- C:\PROT_INS.SYS

2011-08-15 18:29:56 -------- d-----w- c:\documents and settings\all users\application data\Pointsec

.

==================== Find3M ====================

.

2011-08-26 13:22:45 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-05 05:56:14 136512 ----a-w- c:\windows\system32\KevlarSigs.dll

.

============= FINISH: 19:27:01.81 ===============

----------------------------------------------------------------------------------------------------------------------

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17DA3CAA-5ABB-4203-950E-77C6C7AB7193}]
File::
c:\windows\system32\audiosrv32.dll

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Hi,

Don't get me wrong but I don't see any progress. audiosrv32.dll still remains in system32 folder.

Do I need to do this again.

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

  • Staff

It is not necessary, no.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java™ 6 Update 26

Java™ 6 Update 5

Restart your computer.

Get the latest version of Java.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.