Start a Conversation

Unsolved

This post is more than 5 years old

3322

January 5th, 2010 10:00

Advertising Pop-Ups and Slowness

I keep getting advertising pop-ups and the computer is running slower. Mostly when I use IE, I get pop ups galore! Any suggestions? Here is a HJT Log and DDS Log. Thanks!

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:12 PM, on 1/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Novell\CASA\bin\micasad.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://feeds.eng.fiu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZenNotifyIcon] C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
O4 - HKLM\..\Run: [ZENWorksUserDaemon] C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
O4 - HKLM\..\Run: [NalView] C:\Program Files\Novell\ZENworks\bin\nalview.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uvc7jk640c] C:\DOCUME~1\knoy001\LOCALS~1\Temp\c.exe
O4 - HKCU\..\Run: [ZagrebLand] C:\DOCUME~1\knoy001\LOCALS~1\Temp\b.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254237067046
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O20 - Winlogon Notify: LCredMgr - C:\Program Files\Novell\CASA\bin\lcredmgr.dll
O20 - Winlogon Notify: nzrNotifier - C:\WINDOWS\SYSTEM32\nzrNotifier.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Novell Identity Store - Novell, Inc - C:\Program Files\Novell\CASA\bin\micasad.exe
O23 - Service: Novell ZENworks Agent Service - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
O23 - Service: Novell ZENworks Remote Management powered by VNC (nzwinvnc) - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
O23 - Service: Novell ZENworks Pre Agent (ZENPreAgent) - Unknown owner - C:\WINDOWS\novell\zenworks\bin\ZENPreAgent.exe

--
End of file - 8918 bytes

 

 

20.5K Posts

January 22nd, 2010 16:00

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click on ComboFix.exe & follow the prompts.









  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.




  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.











 

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.

313 Posts

January 25th, 2010 16:00

ComboFix 10-01-25.02 - knoy001 01/25/2010  19:36:12.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2408 [GMT -5:00]
Running from: c:\documents and settings\knoy001\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((   Files Created from 2009-12-26 to 2010-01-26  )))))))))))))))))))))))))))))))
.

2010-01-13 19:28 . 2010-01-07 21:07    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 19:28 . 2010-01-07 21:07    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-01-13 19:28 . 2010-01-13 19:28    --------    d-----w-    c:\documents and settings\All Users\Application Data\TEMP

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 00:32 . 2009-10-16 02:32    --------    d-----w-    c:\documents and settings\knoy001\Application Data\Dropbox
2010-01-25 07:37 . 2009-11-09 23:12    664    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-01-23 00:54 . 2009-10-28 21:46    --------    d-----w-    c:\documents and settings\knoy001\Application Data\U3
2010-01-20 01:36 . 2009-09-29 14:44    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 19:41 . 2009-12-22 20:47    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-01-13 19:30 . 2009-12-22 20:47    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-13 19:28 . 2010-01-13 19:28    --------    d-----w-    c:\program files\SpywareBlaster
2010-01-13 19:28 . 2010-01-08 00:09    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-01-12 00:16 . 2009-12-11 22:11    --------    d-----w-    c:\program files\Graboid
2010-01-08 19:44 . 2009-10-13 23:47    411368    ----a-w-    c:\windows\system32\deploytk.dll
2010-01-08 19:44 . 2010-01-08 19:44    --------    d-----w-    c:\program files\Java
2010-01-08 00:09 . 2010-01-08 00:09    --------    d-----w-    c:\documents and settings\knoy001\Application Data\Malwarebytes
2010-01-08 00:09 . 2010-01-08 00:09    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-22 20:50 . 2009-12-22 20:50    --------    d-----w-    c:\program files\Trend Micro
2009-12-22 20:40 . 2009-12-22 20:40    --------    d-----w-    c:\program files\CCleaner
2009-12-21 15:43 . 2009-12-21 15:43    --------    d-----w-    c:\documents and settings\administrator\Application Data\Windows Desktop Search
2009-12-21 15:43 . 2009-12-21 15:43    68456    ----a-w-    c:\documents and settings\administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-15 17:22 . 2009-12-15 17:22    --------    d-----w-    c:\program files\Paint.NET
2009-12-11 23:25 . 2009-12-11 23:25    --------    d-----w-    c:\documents and settings\knoy001\Application Data\vlc
2009-12-11 22:16 . 2009-12-11 22:15    --------    d-----w-    c:\documents and settings\knoy001\Application Data\MozillaControl
2009-12-11 22:13 . 2009-12-11 22:13    --------    d-----w-    c:\program files\Mozilla ActiveX Control v1.7.12
2009-12-11 22:12 . 2009-12-11 22:12    --------    d-----w-    c:\program files\VideoLAN
2009-12-11 20:16 . 2009-12-11 20:16    73728    ----a-w-    c:\windows\NalRedir.dll
2009-11-26 16:55 . 2009-11-26 16:55    94208    ----a-w-    c:\windows\system32\ZenCCS.dll
2009-11-26 16:55 . 2009-11-26 16:55    126976    ----a-w-    c:\windows\system32\ZenLgn.dll
2009-11-26 16:53 . 2009-11-26 16:53    24576    ----a-w-    c:\windows\system32\ZenPol.dll
2009-11-24 21:21 . 2009-10-23 22:50    127325    ----a-w-    c:\documents and settings\knoy001\Application Data\Move Networks\uninstall.exe
2009-11-24 21:21 . 2009-08-13 19:21    4187512    ----a-w-    c:\documents and settings\knoy001\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-24 21:21 . 2009-11-24 21:21    1408800    ----a-w-    c:\documents and settings\knoy001\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-23 21:47 . 2009-11-23 21:47    79488    ----a-w-    c:\documents and settings\knoy001\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-20 12:36 . 2009-11-20 12:36    57344    ----a-w-    c:\windows\system32\nzrNotifier.dll
2009-11-10 23:20 . 2009-11-10 23:20    424960    ----a-w-    c:\windows\system32\NWGina.dll
2009-06-01 23:19 . 2009-06-01 23:19    6253    ----a-w-    c:\program files\eula.rtf
2008-09-29 12:07 . 2009-09-29 15:16    22576    ----a-w-    c:\program files\mozilla firefox\components\Scriptff.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-01-26_00.25.25   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-26 00:39 . 2010-01-26 00:39    53248              c:\windows\Temp\catchme.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18    77824    ----a-w-    c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18    77824    ----a-w-    c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18    77824    ----a-w-    c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"ZenNotifyIcon"="c:\program files\Novell\Zenworks\bin\ZenNotifyIcon.exe" [2009-11-26 143360]
"ZENWorksUserDaemon"="c:\program files\Novell\ZENworks\bin\ZenUserDaemon.exe" [2009-11-26 14848]
"NalView"="c:\program files\Novell\ZENworks\bin\nalview.exe" [2009-12-11 53760]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-03-10 136512]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-10-20 53248]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-10-20 57344]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-08 149280]

c:\documents and settings\knoy001\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\bin\NalShell.dll" [2009-12-11 929792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LCredMgr]
2009-06-24 23:58    61440    ----a-w-    c:\program files\Novell\CASA\bin\lcredmgr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nzrNotifier]
2009-11-20 12:36    57344    ----a-w-    c:\windows\system32\nzrNotifier.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages    REG_MULTI_SZ       msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novell\\ZENworks\\bin\\nzrWinVNC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7628:TCP"= 7628:TCP:ZENworks TCP - Port 7628
"7628:UDP"= 7628:UDP:ZENworks UDP - Port 7628

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [9/29/2009 10:05 AM 34592]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [9/29/2009 8:14 AM 12672]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 7:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/29/2009 10:16 AM 67904]
R2 Novell Identity Store;Novell Identity Store;c:\program files\Novell\CASA\bin\micasad.exe [6/24/2009 6:58 PM 245760]
R2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;c:\program files\Novell\ZENworks\bin\ZenworksWindowsService.exe [11/26/2009 11:45 AM 28672]
R2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\program files\Novell\ZENworks\bin\nzrWinVNC.exe [11/20/2009 7:35 AM 2379776]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [9/29/2009 9:29 AM 9176]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [4/7/2009 12:50 PM 31896]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/29/2009 10:16 AM 64432]
S3 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [9/29/2009 9:26 AM 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://feeds.eng.fiu.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\knoy001\Application Data\Mozilla\Firefox\Profiles\s27f5eiz.default\
FF - prefs.js: browser.startup.homepage - hxxp://feeds.eng.fiu.edu/
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\knoy001\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\knoy001\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\knoy001\Application Data\Mozilla\Firefox\Profiles\s27f5eiz.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 19:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\windows\system32\NETWIN32.DLL
c:\windows\system32\ZENPol.dll
c:\windows\system32\nzrNotifier.dll
c:\program files\Novell\ZENworks\bin\nzrLogger.dll
c:\program files\Novell\ZENworks\bin\modules\RemotingService.dll
c:\program files\Novell\ZENworks\bin\zmd.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.Logger.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.extlogger.dll

- - - - - - - > 'Explorer.exe'(112)
c:\windows\system32\WININET.dll
c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\program files\Novell\ZENworks\bin\NLS\English\NalUIRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\NalRedir.dll
c:\program files\Novell\ZENworks\bin\modules\AppModule.dll
c:\program files\Novell\ZENworks\bin\zmd.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.Logger.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.extlogger.dll
c:\program files\Novell\ZENworks\bin\Localizer.dll
c:\program files\Novell\ZENworks\bin\XmlSerializers\Localizer.XmlSerializers.dll
c:\windows\system32\NETWIN32.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
.
Completion time: 2010-01-25  19:41:01
ComboFix-quarantined-files.txt  2010-01-26 00:40
ComboFix2.txt  2010-01-26 00:29

Pre-Run: 69,217,808,384 bytes free
Post-Run: 69,255,548,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 990D4959DE3B3B2CBADCF8E6C3B1F94E

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:26 PM, on 1/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Novell\CASA\bin\micasad.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://feeds.eng.fiu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZenNotifyIcon] C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
O4 - HKLM\..\Run: [ZENWorksUserDaemon] C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
O4 - HKLM\..\Run: [NalView] C:\Program Files\Novell\ZENworks\bin\nalview.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254237067046
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O20 - Winlogon Notify: LCredMgr - C:\Program Files\Novell\CASA\bin\lcredmgr.dll
O20 - Winlogon Notify: nzrNotifier - C:\WINDOWS\SYSTEM32\nzrNotifier.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Novell Identity Store - Novell, Inc - C:\Program Files\Novell\CASA\bin\micasad.exe
O23 - Service: Novell ZENworks Agent Service - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
O23 - Service: Novell ZENworks Remote Management powered by VNC (nzwinvnc) - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
O23 - Service: Novell ZENworks Pre Agent (ZENPreAgent) - Unknown owner - C:\WINDOWS\novell\zenworks\bin\ZENPreAgent.exe

--
End of file - 8107 bytes

20.5K Posts

January 25th, 2010 17:00


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You log is showing that McAfee was still enabled. Please disable McAfee and run ComboFix again.

If that does not work, please uninstall McAfee. (If you have the CD's, or use McAfee Support,  you can re-install it once we have verified that the computer is clean.)

 

  • Please open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
  • Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)
  • Next, select never for "When to re-enable real time scanning"
  • and click OK.

Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/microsite.do?cmd=displayKCPopup&docType=kc&externalID=222820

313 Posts

January 27th, 2010 15:00

Sorry, it said it was disabled. Hopefully it worked this time.

 

ComboFix 10-01-27.02 - knoy001 01/27/2010  14:55:36.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2294 [GMT -5:00]
Running from: c:\documents and settings\knoy001\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\catchme.dll

.
(((((((((((((((((((((((((   Files Created from 2009-12-27 to 2010-01-27  )))))))))))))))))))))))))))))))
.

2010-01-13 19:28 . 2010-01-07 21:07    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 19:28 . 2010-01-07 21:07    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-01-13 19:28 . 2010-01-13 19:28    --------    d-----w-    c:\documents and settings\All Users\Application Data\TEMP

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 20:09 . 2009-10-16 02:32    --------    d-----w-    c:\documents and settings\knoy001\Application Data\Dropbox
2010-01-27 07:14 . 2009-11-09 23:12    664    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-01-23 00:54 . 2009-10-28 21:46    --------    d-----w-    c:\documents and settings\knoy001\Application Data\U3
2010-01-20 01:36 . 2009-09-29 14:44    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 19:41 . 2009-12-22 20:47    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-01-13 19:30 . 2009-12-22 20:47    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-13 19:28 . 2010-01-13 19:28    --------    d-----w-    c:\program files\SpywareBlaster
2010-01-13 19:28 . 2010-01-08 00:09    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-01-12 00:16 . 2009-12-11 22:11    --------    d-----w-    c:\program files\Graboid
2010-01-08 19:44 . 2009-10-13 23:47    411368    ----a-w-    c:\windows\system32\deploytk.dll
2010-01-08 19:44 . 2010-01-08 19:44    --------    d-----w-    c:\program files\Java
2010-01-08 00:09 . 2010-01-08 00:09    --------    d-----w-    c:\documents and settings\knoy001\Application Data\Malwarebytes
2010-01-08 00:09 . 2010-01-08 00:09    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-22 20:50 . 2009-12-22 20:50    --------    d-----w-    c:\program files\Trend Micro
2009-12-22 20:40 . 2009-12-22 20:40    --------    d-----w-    c:\program files\CCleaner
2009-12-21 15:43 . 2009-12-21 15:43    --------    d-----w-    c:\documents and settings\administrator\Application Data\Windows Desktop Search
2009-12-21 15:43 . 2009-12-21 15:43    68456    ----a-w-    c:\documents and settings\administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-15 17:22 . 2009-12-15 17:22    --------    d-----w-    c:\program files\Paint.NET
2009-12-11 23:25 . 2009-12-11 23:25    --------    d-----w-    c:\documents and settings\knoy001\Application Data\vlc
2009-12-11 22:16 . 2009-12-11 22:15    --------    d-----w-    c:\documents and settings\knoy001\Application Data\MozillaControl
2009-12-11 22:13 . 2009-12-11 22:13    --------    d-----w-    c:\program files\Mozilla ActiveX Control v1.7.12
2009-12-11 22:12 . 2009-12-11 22:12    --------    d-----w-    c:\program files\VideoLAN
2009-12-11 20:16 . 2009-12-11 20:16    73728    ----a-w-    c:\windows\NalRedir.dll
2009-11-26 16:55 . 2009-11-26 16:55    94208    ----a-w-    c:\windows\system32\ZenCCS.dll
2009-11-26 16:55 . 2009-11-26 16:55    126976    ----a-w-    c:\windows\system32\ZenLgn.dll
2009-11-26 16:53 . 2009-11-26 16:53    24576    ----a-w-    c:\windows\system32\ZenPol.dll
2009-11-24 21:21 . 2009-10-23 22:50    127325    ----a-w-    c:\documents and settings\knoy001\Application Data\Move Networks\uninstall.exe
2009-11-24 21:21 . 2009-08-13 19:21    4187512    ----a-w-    c:\documents and settings\knoy001\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-24 21:21 . 2009-11-24 21:21    1408800    ----a-w-    c:\documents and settings\knoy001\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-23 21:47 . 2009-11-23 21:47    79488    ----a-w-    c:\documents and settings\knoy001\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-20 12:36 . 2009-11-20 12:36    57344    ----a-w-    c:\windows\system32\nzrNotifier.dll
2009-11-10 23:20 . 2009-11-10 23:20    424960    ----a-w-    c:\windows\system32\NWGina.dll
2009-06-01 23:19 . 2009-06-01 23:19    6253    ----a-w-    c:\program files\eula.rtf
2008-09-29 12:07 . 2009-09-29 15:16    22576    ----a-w-    c:\program files\mozilla firefox\components\Scriptff.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-01-26_00.25.25   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-27 19:59 . 2010-01-27 19:59    16384              c:\windows\Temp\Perflib_Perfdata_798.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18    77824    ----a-w-    c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18    77824    ----a-w-    c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18    77824    ----a-w-    c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"ZenNotifyIcon"="c:\program files\Novell\Zenworks\bin\ZenNotifyIcon.exe" [2009-11-26 143360]
"ZENWorksUserDaemon"="c:\program files\Novell\ZENworks\bin\ZenUserDaemon.exe" [2009-11-26 14848]
"NalView"="c:\program files\Novell\ZENworks\bin\nalview.exe" [2009-12-11 53760]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-03-10 136512]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-10-20 53248]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-10-20 57344]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-08 149280]

c:\documents and settings\knoy001\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\bin\NalShell.dll" [2009-12-11 929792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LCredMgr]
2009-06-24 23:58    61440    ----a-w-    c:\program files\Novell\CASA\bin\lcredmgr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nzrNotifier]
2009-11-20 12:36    57344    ----a-w-    c:\windows\system32\nzrNotifier.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages    REG_MULTI_SZ       msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Novell\\ZENworks\\bin\\nzrWinVNC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7628:TCP"= 7628:TCP:ZENworks TCP - Port 7628
"7628:UDP"= 7628:UDP:ZENworks UDP - Port 7628

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [9/29/2009 10:05 AM 34592]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [9/29/2009 8:14 AM 12672]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 7:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/29/2009 10:16 AM 67904]
R2 Novell Identity Store;Novell Identity Store;c:\program files\Novell\CASA\bin\micasad.exe [6/24/2009 6:58 PM 245760]
R2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;c:\program files\Novell\ZENworks\bin\ZenworksWindowsService.exe [11/26/2009 11:45 AM 28672]
R2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\program files\Novell\ZENworks\bin\nzrWinVNC.exe [11/20/2009 7:35 AM 2379776]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [9/29/2009 9:29 AM 9176]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [4/7/2009 12:50 PM 31896]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/29/2009 10:16 AM 64432]
S3 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [9/29/2009 9:26 AM 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://feeds.eng.fiu.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\knoy001\Application Data\Mozilla\Firefox\Profiles\s27f5eiz.default\
FF - prefs.js: browser.startup.homepage - hxxp://feeds.eng.fiu.edu/
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\knoy001\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\knoy001\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\knoy001\Application Data\Mozilla\Firefox\Profiles\s27f5eiz.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 15:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\windows\TEMP\etilqs_rduVU0qcOq7p7HyiLtMY 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\NETWIN32.DLL
c:\windows\system32\ZENPol.dll
c:\windows\system32\nzrNotifier.dll
c:\program files\Novell\ZENworks\bin\nzrLogger.dll
c:\program files\Novell\ZENworks\bin\modules\RemotingService.dll
c:\program files\Novell\ZENworks\bin\zmd.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.Logger.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.extlogger.dll

- - - - - - - > 'Explorer.exe'(3400)
c:\windows\system32\WININET.dll
c:\documents and settings\knoy001\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\program files\Novell\ZENworks\bin\NLS\English\NalUIRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\NalRedir.dll
c:\program files\Novell\ZENworks\bin\modules\AppModule.dll
c:\program files\Novell\ZENworks\bin\zmd.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.Logger.dll
c:\program files\Novell\ZENworks\bin\Novell.Zenworks.extlogger.dll
c:\program files\Novell\ZENworks\bin\Localizer.dll
c:\program files\Novell\ZENworks\bin\XmlSerializers\Localizer.XmlSerializers.dll
c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll
c:\windows\system32\NETWIN32.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\NWTRAY.EXE
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2010-01-27  15:12:14 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-27 20:12
ComboFix2.txt  2010-01-26 00:41
ComboFix3.txt  2010-01-26 00:29

Pre-Run: 69,253,468,160 bytes free
Post-Run: 69,218,029,568 bytes free

- - End Of File - - 38F12D053C76DDF79760640CD7350DC2

 

 

 

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:12 PM, on 1/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Novell\CASA\bin\micasad.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://feeds.eng.fiu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZenNotifyIcon] C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
O4 - HKLM\..\Run: [ZENWorksUserDaemon] C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
O4 - HKLM\..\Run: [NalView] C:\Program Files\Novell\ZENworks\bin\nalview.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254237067046
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fiu.edu,eng.fiu.edu
O20 - Winlogon Notify: LCredMgr - C:\Program Files\Novell\CASA\bin\lcredmgr.dll
O20 - Winlogon Notify: nzrNotifier - C:\WINDOWS\SYSTEM32\nzrNotifier.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Novell Identity Store - Novell, Inc - C:\Program Files\Novell\CASA\bin\micasad.exe
O23 - Service: Novell ZENworks Agent Service - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
O23 - Service: Novell ZENworks Remote Management powered by VNC (nzwinvnc) - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
O23 - Service: Novell ZENworks Pre Agent (ZENPreAgent) - Unknown owner - C:\WINDOWS\novell\zenworks\bin\ZENPreAgent.exe

--
End of file - 8238 bytes

20.5K Posts

January 27th, 2010 16:00

Your log looks pretty clean. What symptoms of malware are you still seeing?

313 Posts

January 27th, 2010 17:00

Redirection to other websites when using IE.

20.5K Posts

January 27th, 2010 18:00


Please download GMER Rootkit Scanner from HERE or HERE
Unzip it to your Desktop.

========================================================
Please disable McAfee per instructions above. Make sure you disable all components or uninstall McAfee.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

* Click Yes.
* Once the scan is complete, you may receive another notice about rootkit activity.
* Click OK.
* GMER will produce a log.

* Once done, click the Copy button.
This will copy the results to your clipboard.

* Please post that log in your next reply.

**NOTE: Warning! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.

 

20.5K Posts

January 31st, 2010 20:00

There has been no reply within 3 days.
Due to the lack of feedback this topic is closed.
Everyone else please begin a New Message at the top of the forum.

313 Posts

February 2nd, 2010 11:00

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-02 14:03:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\knoy001\LOCALS~1\Temp\pfxcrfow.sys


---- System - GMER 1.0.15 ----

Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwCreateFile [0xF78661C8]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwCreateKey [0xF7866086]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwCreateProcess [0xF7866020]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwCreateProcessEx [0xF7866034]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwDeleteKey [0xF786609A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwDeleteValueKey [0xF78660C6]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwEnumerateKey [0xF7866134]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwEnumerateValueKey [0xF786611E]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwLoadKey2 [0xF786614A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwMapViewOfSection [0xF7866208]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwNotifyChangeKey [0xF7866176]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwOpenKey [0xF7866072]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwOpenProcess [0xF7865FE4]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwOpenThread [0xF7865FF8]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwProtectVirtualMemory [0xF78661DC]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwQueryKey [0xF78661B2]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwQueryMultipleValueKey [0xF7866108]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwQueryValueKey [0xF78660F2]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwRenameKey [0xF78660B0]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwReplaceKey [0xF786619E]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwRestoreKey [0xF786618A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwSetContextThread [0xF786605E]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwSetInformationProcess [0xF786604A]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwSetValueKey [0xF78660DC]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwTerminateProcess [0xF7866237]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwUnloadKey [0xF7866160]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwUnmapViewOfSection [0xF786621E]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  ZwYieldExecution [0xF78661F2]
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  NtCreateFile
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  NtMapViewOfSection
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  NtOpenProcess
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  NtOpenThread
Code            mfehidk.sys (McAfee Link Driver/McAfee, Inc.)  NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                         mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Ip                       mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                      mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Udp                      mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                    mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

20.5K Posts

February 2nd, 2010 14:00

You've run the best tools available and that's one of the best rootkit scanners. It is coming up with no malware.

We will try one more scan, but if it shows nothing to indicate the redirects, in order to save your time and mine, I suggest a reformat/reinstall.

Go HERE and download File Lister.

  • Save it to your Desktop Rt Click ->> Extract all ->> And extract it to your Desktop
    Additional help on extracting zip files can be found HERE
    Open the File Lister Folder.
    Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
    As the program runs, it will appear that nothing is happening.
    When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.

313 Posts

February 2nd, 2010 17:00


++++++++++++++++++++++++++++++++++
+ File Lister  Version 1.1.2     +
+                                +
+ By bamajim / SpywareHammer.com +
++++++++++++++++++++++++++++++++++

Report ran on --->>>  2/2/2010 8:04:38 PM


====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Novell\CASA\bin\micasad.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\knoy001\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE


====== BHO's ======
BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: (NO NAME) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

BHO: (NO NAME) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[SoundMAXPnP] = C:\Program Files\Analog Devices\Core\smax4pnp.exe
[ATIPTA] = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[NWTRAY] = NWTRAY.EXE
[ZenNotifyIcon] = C:\Program Files\Novell\Zenworks\bin\ZenNotifyIcon.exe
[ZENWorksUserDaemon] = C:\Program Files\Novell\ZENworks\bin\ZenUserDaemon.exe
[NalView] = C:\Program Files\Novell\ZENworks\bin\nalview.exe
[McAfeeUpdaterUI] = "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
[iPrint Tray] = C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
[iPrint Event Monitor] = C:\WINDOWS\system32\iprntlgn.exe
[ShStatEXE] = "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
[Adobe Reader Speed Launcher] = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[Adobe ARM] = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[HPDJ Taskbar Utility] = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
[SunJavaUpdateSched] = "C:\Program Files\Java\jre6\bin\jusched.exe"

====== HKCU\~\Run Keys ======

[ctfmon.exe] = C:\WINDOWS\system32\ctfmon.exe

====== DNS Info (List may be empty) ======

HKEY_LOCAL_MACHINE\CCS\~\{D63AAE5D-6F48-4446-AA1D-2FA8C6ED3C92}\  NameServer=

HKEY_LOCAL_MACHINE\CS001\~\{D63AAE5D-6F48-4446-AA1D-2FA8C6ED3C92}\  NameServer=

HKEY_LOCAL_MACHINE\CS002\~\{D63AAE5D-6F48-4446-AA1D-2FA8C6ED3C92}\  NameServer=


====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

1/25/2010 7:35:44 PM    8119827    C:\cmdcons
1/25/2010 7:35:46 PM    860672    C:\cmdcons\SYSTEM32
1/25/2010 7:07:14 PM    1083197    C:\Qoobox
1/27/2010 2:55:00 PM    12012    C:\Qoobox\BackEnv
1/25/2010 7:07:14 PM    251697    C:\Qoobox\Quarantine
1/25/2010 7:10:34 PM    246272    C:\Qoobox\Quarantine\C
1/25/2010 7:11:00 PM    246272    C:\Qoobox\Quarantine\C\WINDOWS
1/25/2010 7:11:00 PM    193024    C:\Qoobox\Quarantine\C\WINDOWS\system32
1/25/2010 7:11:00 PM    193024    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers
1/27/2010 2:57:57 PM    53248    C:\Qoobox\Quarantine\C\WINDOWS\Temp
1/25/2010 7:07:14 PM    5031    C:\Qoobox\Quarantine\Registry_backups
12/21/2009 10:49:35 AM    744960    C:\Quarantine
2/2/2010 8:03:16 PM    294261    C:\RECYCLER
2/2/2010 8:03:16 PM    294261    C:\RECYCLER\S-1-5-21-299502267-790525478-1606980848-1006
1/25/2010 7:35:50 PM    211    32    C:\Boot.bak
1/25/2010 7:35:46 PM    260272    32    C:\cmldr
1/27/2010 3:12:15 PM    15008    32    C:\ComboFix.txt
2/2/2010 8:04:38 PM    2537    32    C:\Files.txt
1/25/2010 7:07:32 PM    121030816    C:\WINDOWS\ERDNT
1/25/2010 7:27:56 PM    24094120    C:\WINDOWS\ERDNT\cache
1/25/2010 7:07:32 PM    48475461    C:\WINDOWS\ERDNT\Hiv-backup
1/27/2010 2:54:59 PM    6463488    C:\WINDOWS\ERDNT\Hiv-backup\Users
1/27/2010 2:54:59 PM    241664    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001
1/27/2010 2:54:59 PM    8192    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002
1/27/2010 2:54:59 PM    241664    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003
1/27/2010 2:54:59 PM    8192    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004
1/27/2010 2:54:59 PM    5771264    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005
1/27/2010 2:54:59 PM    192512    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006
1/25/2010 7:11:13 PM    48461125    C:\WINDOWS\ERDNT\subs
1/25/2010 7:11:16 PM    6467584    C:\WINDOWS\ERDNT\subs\Users
1/25/2010 7:11:16 PM    241664    C:\WINDOWS\ERDNT\subs\Users\00000001
1/25/2010 7:11:16 PM    8192    C:\WINDOWS\ERDNT\subs\Users\00000002
1/25/2010 7:11:16 PM    241664    C:\WINDOWS\ERDNT\subs\Users\00000003
1/25/2010 7:11:16 PM    8192    C:\WINDOWS\ERDNT\subs\Users\00000004
1/25/2010 7:11:16 PM    5775360    C:\WINDOWS\ERDNT\subs\Users\00000005
1/25/2010 7:11:16 PM    192512    C:\WINDOWS\ERDNT\subs\Users\00000006
2/1/2010 2:42:43 PM    270336    C:\WINDOWS\Minidump
1/11/2010 8:54:25 PM    832    C:\WINDOWS\pss
1/11/2010 8:58:45 PM    0    32    C:\WINDOWS\0.log
1/11/2010 7:18:06 PM    2022    32    C:\WINDOWS\comsetup.log
1/11/2010 7:18:05 PM    6183    32    C:\WINDOWS\FaxSetup.log
1/25/2010 7:07:46 PM    80412    32    C:\WINDOWS\grep.exe
1/11/2010 7:18:05 PM    6643    32    C:\WINDOWS\iis6.log
1/11/2010 7:18:06 PM    1374    32    C:\WINDOWS\imsins.log
1/11/2010 7:18:03 PM    10179    32    C:\WINDOWS\KB940157Uninst.log
1/25/2010 7:07:46 PM    77312    32    C:\WINDOWS\MBR.exe
1/11/2010 7:18:07 PM    425    32    C:\WINDOWS\MedCtrOC.log
1/11/2010 7:18:06 PM    309    32    C:\WINDOWS\msgsocm.log
1/11/2010 7:18:06 PM    1874    32    C:\WINDOWS\msmqinst.log
12/11/2009 3:16:54 PM    73728    32    C:\WINDOWS\NalRedir.dll
1/11/2010 7:18:07 PM    1083    32    C:\WINDOWS\netfxocm.log
1/25/2010 7:07:46 PM    31232    32    C:\WINDOWS\NIRCMD.exe
1/11/2010 7:18:06 PM    1233    32    C:\WINDOWS\ntdtcsetup.log
1/11/2010 7:18:05 PM    2956    32    C:\WINDOWS\ocgen.log
1/11/2010 7:18:07 PM    342    32    C:\WINDOWS\ocmsn.log
1/25/2010 7:07:46 PM    261632    32    C:\WINDOWS\PEV.exe
1/25/2010 7:07:46 PM    98816    32    C:\WINDOWS\sed.exe
1/11/2010 7:18:06 PM    0    32    C:\WINDOWS\setupact.log
1/13/2010 7:36:57 PM    2006    32    C:\WINDOWS\setupapi.log
1/11/2010 7:18:06 PM    0    32    C:\WINDOWS\setuperr.log
1/25/2010 7:07:46 PM    161792    32    C:\WINDOWS\SWREG.exe
1/25/2010 7:07:46 PM    136704    32    C:\WINDOWS\SWSC.exe
1/25/2010 7:07:46 PM    212480    32    C:\WINDOWS\SWXCACLS.exe
1/11/2010 7:18:07 PM    311    32    C:\WINDOWS\tabletoc.log
1/11/2010 7:18:06 PM    2821    32    C:\WINDOWS\tsoc.log
1/15/2010 9:46:14 AM    535    32    C:\WINDOWS\wmsetup.log
1/25/2010 7:07:46 PM    68096    32    C:\WINDOWS\zip.exe
1/11/2010 7:17:33 PM    0    C:\WINDOWS\system32\appmgmt
1/11/2010 7:17:33 PM    0    C:\WINDOWS\system32\appmgmt\MACHINE
1/11/2010 7:17:33 PM    0    C:\WINDOWS\system32\appmgmt\S-1-5-21-299502267-790525478-1606980848-1006
1/8/2010 2:45:10 PM    145184    32    C:\WINDOWS\system32\java.exe
1/8/2010 2:45:10 PM    73728    32    C:\WINDOWS\system32\javacpl.cpl
1/8/2010 2:45:10 PM    145184    32    C:\WINDOWS\system32\javaw.exe
1/8/2010 2:45:10 PM    149280    32    C:\WINDOWS\system32\javaws.exe
12/21/2009 10:43:12 AM    221184    32    C:\WINDOWS\system32\wmpns.dll

====== "\Administrator\Startup" Last 60 Days======

12/21/2009 10:42:45 AM    84    38    C:\Documents and Settings\administrator\Start Menu\Programs\Startup\desktop.ini

====== "\All Users\Startup" Last 60 Days======


====== "\Program Files" Last 60 Days======

12/22/2009 3:40:22 PM    2924696    C:\Program Files\CCleaner
12/11/2009 5:11:08 PM    0    C:\Program Files\Graboid
1/8/2010 2:44:46 PM    90530502    C:\Program Files\Java
1/7/2010 7:09:29 PM    4180620    C:\Program Files\Malwarebytes' Anti-Malware
12/11/2009 5:13:51 PM    2004    C:\Program Files\Mozilla ActiveX Control v1.7.12
12/15/2009 12:22:27 PM    29350448    C:\Program Files\Paint.NET
12/22/2009 3:47:09 PM    59285255    C:\Program Files\Spybot - Search & Destroy
1/13/2010 2:28:03 PM    5354707    C:\Program Files\SpywareBlaster
12/22/2009 3:50:25 PM    404527    C:\Program Files\Trend Micro
12/11/2009 5:12:58 PM    33438420    C:\Program Files\VideoLAN

======"Drivers" Modified Last 60 Days======

1/13/2010 2:28:37 PM    19160    32    C:\WINDOWS\system32\drivers\mbam.sys
1/13/2010 2:28:43 PM    38224    32    C:\WINDOWS\system32\drivers\mbamswissarmy.sys

====== Files Deleted under "%Temp%" ======

5 Files deleted

======"All Users\Application Data" Last 60 Days======

1/7/2010 7:09:33 PM    3742129    C:\Documents and Settings\All Users\Application Data\Malwarebytes
1/7/2010 7:09:33 PM    3742129    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
12/22/2009 3:47:09 PM    8143    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
12/22/2009 3:47:21 PM    0    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups
12/22/2009 3:47:09 PM    144    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes
12/22/2009 3:49:53 PM    3161    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
12/22/2009 3:47:21 PM    0    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
1/13/2010 2:28:19 PM    0    C:\Documents and Settings\All Users\Application Data\TEMP

====== HKLM\~\ShellServiceObjectDelayLoad======

PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll

CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %Systemroot%\system32\webcheck.dll

SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - %systemroot%\system32\stobject.dll

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll


====== HKLM\~\SharedTaskScheduler======

Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\system32\browseui.dll

Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\

====== Services ( Services that are Whitelisted are not shown) ======

Abiosdsk (Abiosdsk)-  - Disabled/Stopped
abp480n5 (abp480n5)-  - Disabled/Stopped
ACPI (Microsoft ACPI Driver)- C:\WINDOWS\system32\DRIVERS\ACPI.sys - Boot/Running
ACPIEC (ACPIEC)- C:\WINDOWS\system32\drivers\ACPIEC.sys - Disabled/Stopped
adpu160m (adpu160m)-  - Disabled/Stopped
aec (Microsoft Kernel Acoustic Echo Canceller)- C:\WINDOWS\system32\drivers\aec.sys - Manual/Stopped
AFD (AFD)- C:\WINDOWS\system32\drivers\afd.sys - System/Running
Aha154x (Aha154x)-  - Disabled/Stopped
aic78u2 (aic78u2)-  - Disabled/Stopped
aic78xx (aic78xx)-  - Disabled/Stopped
AliIde (AliIde)-  - Disabled/Stopped
amsint (amsint)-  - Disabled/Stopped
asc (asc)-  - Disabled/Stopped
asc3350p (asc3350p)-  - Disabled/Stopped
asc3550 (asc3550)-  - Disabled/Stopped
AsyncMac (RAS Asynchronous Media Driver)- C:\WINDOWS\system32\DRIVERS\asyncmac.sys - Manual/Stopped
atapi (Standard IDE/ESDI Hard Disk Controller)- C:\WINDOWS\system32\DRIVERS\atapi.sys - Boot/Running
Atdisk (Atdisk)-  - Disabled/Stopped
ati2mtag (ati2mtag)- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys - Manual/Running
Atmarpc (ATM ARP Client Protocol)- C:\WINDOWS\system32\DRIVERS\atmarpc.sys - Manual/Stopped
audstub (Audio Stub Driver)- C:\WINDOWS\system32\DRIVERS\audstub.sys - Manual/Running
Beep (Beep)- C:\WINDOWS\system32\drivers\Beep.sys - System/Running
catchme (catchme)- \??\C:\ComboFix\catchme.sys - Manual/Stopped
cbidf2k (cbidf2k)- C:\WINDOWS\system32\drivers\cbidf2k.sys - Disabled/Stopped
cd20xrnt (cd20xrnt)-  - Disabled/Stopped
Cdaudio (Cdaudio)- C:\WINDOWS\system32\drivers\Cdaudio.sys - System/Stopped
Cdfs (Cdfs)- C:\WINDOWS\system32\drivers\Cdfs.sys - Disabled/Running
Cdrom (CD-ROM Driver)- C:\WINDOWS\system32\DRIVERS\cdrom.sys - System/Running
Changer (Changer)-  - System/Stopped
CmdIde (CmdIde)-  - Disabled/Stopped
Cpqarray (Cpqarray)-  - Disabled/Stopped
cpuz132 (cpuz132)- \??\C:\WINDOWS\system32\drivers\cpuz132_x32.sys - Auto/Running
ctsfm2k (Creative SoundFont Management Device Driver)- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys - Manual/Running
dac960nt (dac960nt)-  - Disabled/Stopped
dfmirage (dfmirage)- C:\WINDOWS\system32\DRIVERS\dfmirage.sys - Manual/Running
Disk (Disk Driver)- C:\WINDOWS\system32\DRIVERS\disk.sys - Boot/Running
dmboot (dmboot)- C:\WINDOWS\system32\drivers\dmboot.sys - Disabled/Stopped
dmio (Logical Disk Manager Driver)- C:\WINDOWS\system32\drivers\dmio.sys - Boot/Running
dmload (dmload)- C:\WINDOWS\system32\drivers\dmload.sys - Boot/Running
DMusic (Microsoft Kernel DLS Syntheiszer)- C:\WINDOWS\system32\drivers\DMusic.sys - Manual/Stopped
dpti2o (dpti2o)-  - Disabled/Stopped
drmkaud (Microsoft Kernel DRM Audio Descrambler)- C:\WINDOWS\system32\drivers\drmkaud.sys - Manual/Stopped
E100B (Intel(R) PRO Adapter Driver)- C:\WINDOWS\system32\DRIVERS\e100b325.sys - Manual/Running
Fastfat (Fastfat)- C:\WINDOWS\system32\drivers\Fastfat.sys - Disabled/Stopped
Fdc (Fdc)- C:\WINDOWS\system32\drivers\Fdc.sys - System/Stopped
Fips (Fips)- C:\WINDOWS\system32\drivers\Fips.sys - System/Running
Flpydisk (Flpydisk)- C:\WINDOWS\system32\drivers\Flpydisk.sys - System/Stopped
FltMgr (FltMgr)- C:\WINDOWS\system32\DRIVERS\fltMgr.sys - Boot/Running
Ftdisk (Volume Manager Driver)- C:\WINDOWS\system32\DRIVERS\ftdisk.sys - Boot/Running
Gpc (Generic Packet Classifier)- C:\WINDOWS\system32\DRIVERS\msgpc.sys - Manual/Running
hidusb (Microsoft HID Class Driver)- C:\WINDOWS\system32\DRIVERS\hidusb.sys - Manual/Running
hpn (hpn)-  - Disabled/Stopped
HTTP (HTTP)- C:\WINDOWS\system32\Drivers\HTTP.sys - Manual/Running
i2omgmt (i2omgmt)-  - System/Stopped
i2omp (i2omp)-  - Disabled/Stopped
i8042prt (i8042prt)- C:\WINDOWS\system32\drivers\i8042prt.sys - System/Stopped
Imapi (CD-Burning Filter Driver)- C:\WINDOWS\system32\DRIVERS\imapi.sys - System/Running
ini910u (ini910u)-  - Disabled/Stopped
IntelIde (IntelIde)- C:\WINDOWS\system32\DRIVERS\intelide.sys - Boot/Running
intelppm (Intel Processor Driver)- C:\WINDOWS\system32\DRIVERS\intelppm.sys - System/Running
Ip6Fw (IPv6 Windows Firewall Driver)- C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys - Manual/Stopped
IpFilterDriver (IP Traffic Filter Driver)- C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys - Manual/Stopped
IpInIp (IP in IP Tunnel Driver)- C:\WINDOWS\system32\DRIVERS\ipinip.sys - Manual/Stopped
IpNat (IP Network Address Translator)- C:\WINDOWS\system32\DRIVERS\ipnat.sys - Manual/Running
IPSec (IPSEC driver)- C:\WINDOWS\system32\DRIVERS\ipsec.sys - System/Running
IRENUM (IR Enumerator Service)- C:\WINDOWS\system32\DRIVERS\irenum.sys - Manual/Stopped
isapnp (PnP ISA/EISA Bus Driver)- C:\WINDOWS\system32\DRIVERS\isapnp.sys - Boot/Running
Kbdclass (Keyboard Class Driver)- C:\WINDOWS\system32\DRIVERS\kbdclass.sys - System/Running
kbdhid (Keyboard HID Driver)- C:\WINDOWS\system32\DRIVERS\kbdhid.sys - System/Running
kmixer (Microsoft Kernel Wave Audio Mixer)- C:\WINDOWS\system32\drivers\kmixer.sys - Manual/Stopped
KSecDD (KSecDD)- C:\WINDOWS\system32\drivers\KSecDD.sys - Boot/Running
lbrtfdc (lbrtfdc)-  - System/Stopped
mfeapfk (McAfee Inc. mfeapfk)- C:\WINDOWS\system32\drivers\mfeapfk.sys - Manual/Running
mfeavfk (McAfee Inc. mfeavfk)- C:\WINDOWS\system32\drivers\mfeavfk.sys - Manual/Running
mfebopk (McAfee Inc. mfebopk)- C:\WINDOWS\system32\drivers\mfebopk.sys - Manual/Running
mfehidk (McAfee Inc. mfehidk)- C:\WINDOWS\system32\drivers\mfehidk.sys - Boot/Running
mferkdet (McAfee Inc. mferkdet)- C:\WINDOWS\system32\drivers\mferkdet.sys - Manual/Stopped
mfetdik (McAfee Inc. mfetdik)- C:\WINDOWS\system32\drivers\mfetdik.sys - System/Running
mnmdd (mnmdd)- C:\WINDOWS\system32\drivers\mnmdd.sys - System/Running
Modem (Modem)- C:\WINDOWS\system32\drivers\Modem.sys - Manual/Stopped
Mouclass (Mouse Class Driver)- C:\WINDOWS\system32\DRIVERS\mouclass.sys - System/Running
mouhid (Mouse HID Driver)- C:\WINDOWS\system32\DRIVERS\mouhid.sys - Manual/Running
MountMgr (MountMgr)- C:\WINDOWS\system32\drivers\MountMgr.sys - Boot/Running
mraid35x (mraid35x)-  - Disabled/Stopped
MRxDAV (WebDav Client Redirector)- C:\WINDOWS\system32\DRIVERS\mrxdav.sys - Manual/Running
MRxSmb (MRXSMB)- C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - System/Running
Msfs (Msfs)- C:\WINDOWS\system32\drivers\Msfs.sys - System/Running
MSKSSRV (Microsoft Streaming Service Proxy)- C:\WINDOWS\system32\drivers\MSKSSRV.sys - Manual/Stopped
MSPCLOCK (Microsoft Streaming Clock Proxy)- C:\WINDOWS\system32\drivers\MSPCLOCK.sys - Manual/Stopped
MSPQM (Microsoft Streaming Quality Manager Proxy)- C:\WINDOWS\system32\drivers\MSPQM.sys - Manual/Stopped
mssmbios (Microsoft System Management BIOS Driver)- C:\WINDOWS\system32\DRIVERS\mssmbios.sys - Manual/Running
Mup (Mup)- C:\WINDOWS\system32\drivers\Mup.sys - Boot/Running
NDIS (NDIS System Driver)- C:\WINDOWS\system32\drivers\NDIS.sys - Boot/Running
NdisTapi (Remote Access NDIS TAPI Driver)- C:\WINDOWS\system32\DRIVERS\ndistapi.sys - Manual/Running
Ndisuio (NDIS Usermode I/O Protocol)- C:\WINDOWS\system32\DRIVERS\ndisuio.sys - Manual/Running
NdisWan (Remote Access NDIS WAN Driver)- C:\WINDOWS\system32\DRIVERS\ndiswan.sys - Manual/Running
NDProxy (NDIS Proxy)- C:\WINDOWS\system32\drivers\NDProxy.sys - Manual/Running
NetBIOS (NetBIOS Interface)- C:\WINDOWS\system32\DRIVERS\netbios.sys - System/Running
NetBT (NetBios over Tcpip)- C:\WINDOWS\system32\DRIVERS\netbt.sys - System/Running
NetwareWorkstation (Novell Client for Windows)- C:\WINDOWS\system32\NetWare\nwfs.sys - Auto/Running
NICM (Novell InterService Communication Driver)- C:\WINDOWS\system32\drivers\nicm.sys - Boot/Running
nipplpt2 (Novell iCapture Lpt Redirector 2)- C:\WINDOWS\system32\drivers\nipplpt.sys - System/Running
Npfs (Npfs)- C:\WINDOWS\system32\drivers\Npfs.sys - System/Running
Ntfs (Ntfs)- C:\WINDOWS\system32\drivers\Ntfs.sys - Disabled/Running
Null (Null)- C:\WINDOWS\system32\drivers\Null.sys - System/Running
NWDHCP (Novell DHCP Inform Client)- C:\WINDOWS\system32\NetWare\nwdhcp.sys - Manual/Stopped
NWDNS (Novell DNS Name Space Service Provider)- C:\WINDOWS\system32\NetWare\nwdns.sys - Manual/Running
NWFILTER (Novell UNC Path Filter)- C:\WINDOWS\system32\NetWare\nwfilter.sys - Boot/Running
NWHOST (Novell Host File Name Space Service Provider)- C:\WINDOWS\system32\NetWare\NWHOST.sys - Manual/Running
NwlnkFlt (IPX Traffic Filter Driver)- C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys - Manual/Stopped
NwlnkFwd (IPX Traffic Forwarder Driver)- C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys - Manual/Stopped
NWSAP (Novell SAP Name Space Provider)- C:\WINDOWS\system32\NetWare\NWSAP.sys - Manual/Stopped
NWSIPX32 (Novell NetWare IPX/SPX Transport Interface)- C:\WINDOWS\system32\NetWare\nwsipx32.sys - Auto/Stopped
NWSLP (Novell SLP Name Space Service Provider)- C:\WINDOWS\system32\NetWare\nwslp.sys - Manual/Running
NWSNS (Novell Simple Naming Services (NWSNS))- C:\WINDOWS\system32\NetWare\NWSNS.sys - Manual/Running
ossrv (Creative OS Services Driver)- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys - Manual/Running
P17 (SB Live! 24-bit)- C:\WINDOWS\system32\drivers\P17.sys - Manual/Running
Parport (Parallel port driver)- C:\WINDOWS\system32\DRIVERS\parport.sys - Manual/Running
PartMgr (PartMgr)- C:\WINDOWS\system32\drivers\PartMgr.sys - Boot/Running
ParVdm (ParVdm)- C:\WINDOWS\system32\drivers\ParVdm.sys - Auto/Running
PCI (PCI Bus Driver)- C:\WINDOWS\system32\DRIVERS\pci.sys - Boot/Running
PCIDump (PCIDump)-  - System/Stopped
PCIIde (PCIIde)- C:\WINDOWS\system32\DRIVERS\pciide.sys - Boot/Running
Pcmcia (Pcmcia)- C:\WINDOWS\system32\drivers\Pcmcia.sys - Disabled/Stopped
PDCOMP (PDCOMP)-  - Manual/Stopped
PDFRAME (PDFRAME)-  - Manual/Stopped
PDRELI (PDRELI)-  - Manual/Stopped
PDRFRAME (PDRFRAME)-  - Manual/Stopped
perc2 (perc2)-  - Disabled/Stopped
perc2hib (perc2hib)-  - Disabled/Stopped
PptpMiniport (WAN Miniport (PPTP))- C:\WINDOWS\system32\DRIVERS\raspptp.sys - Manual/Running
PSched (QoS Packet Scheduler)- C:\WINDOWS\system32\DRIVERS\psched.sys - Manual/Running
Ptilink (Direct Parallel Link Driver)- C:\WINDOWS\system32\DRIVERS\ptilink.sys - Manual/Running
ql1080 (ql1080)-  - Disabled/Stopped
Ql10wnt (Ql10wnt)-  - Disabled/Stopped
ql12160 (ql12160)-  - Disabled/Stopped
ql1240 (ql1240)-  - Disabled/Stopped
ql1280 (ql1280)-  - Disabled/Stopped
RasAcd (Remote Access Auto Connection Driver)- C:\WINDOWS\system32\DRIVERS\rasacd.sys - System/Running
Rasl2tp (WAN Miniport (L2TP))- C:\WINDOWS\system32\DRIVERS\rasl2tp.sys - Manual/Running
RasPppoe (Remote Access PPPOE Driver)- C:\WINDOWS\system32\DRIVERS\raspppoe.sys - Manual/Running
Raspti (Direct Parallel)- C:\WINDOWS\system32\DRIVERS\raspti.sys - Manual/Running
Rdbss (Rdbss)- C:\WINDOWS\system32\DRIVERS\rdbss.sys - System/Running
RDPCDD (RDPCDD)- C:\WINDOWS\system32\DRIVERS\RDPCDD.sys - System/Running
rdpdr (Terminal Server Device Redirector Driver)- C:\WINDOWS\system32\DRIVERS\rdpdr.sys - Manual/Running
RDPWD (RDPWD)- C:\WINDOWS\system32\drivers\RDPWD.sys - Manual/Stopped
redbook (Digital CD Audio Playback Filter Driver)- C:\WINDOWS\system32\DRIVERS\redbook.sys - System/Running
RESMGR (Novell NetWare Resource Manager)- C:\WINDOWS\system32\NetWare\resmgr.sys - Auto/Running
Secdrv (Secdrv)- C:\WINDOWS\system32\DRIVERS\secdrv.sys - Manual/Stopped
senfilt (senfilt)- C:\WINDOWS\system32\drivers\senfilt.sys - Manual/Running
serenum (Serenum Filter Driver)- C:\WINDOWS\system32\DRIVERS\serenum.sys - Manual/Running
Serial (Serial port driver)- C:\WINDOWS\system32\DRIVERS\serial.sys - System/Running
Sfloppy (Sfloppy)- C:\WINDOWS\system32\drivers\Sfloppy.sys - System/Stopped
Simbad (Simbad)-  - Disabled/Stopped
smwdm (smwdm)- C:\WINDOWS\system32\drivers\smwdm.sys - Manual/Running
Sparrow (Sparrow)-  - Disabled/Stopped
splitter (Microsoft Kernel Audio Splitter)- C:\WINDOWS\system32\drivers\splitter.sys - Manual/Stopped
sr (System Restore Filter Driver)- C:\WINDOWS\system32\DRIVERS\sr.sys - Boot/Running
Srv (Srv)- C:\WINDOWS\system32\DRIVERS\srv.sys - Manual/Running
SRVLOC (Novell Service Location)- C:\WINDOWS\system32\NetWare\srvloc.sys - Auto/Running
swenum (Software Bus Driver)- C:\WINDOWS\system32\DRIVERS\swenum.sys - Manual/Running
swmidi (Microsoft Kernel GS Wavetable Synthesizer)- C:\WINDOWS\system32\drivers\swmidi.sys - Manual/Stopped
symc810 (symc810)-  - Disabled/Stopped
symc8xx (symc8xx)-  - Disabled/Stopped
sym_hi (sym_hi)-  - Disabled/Stopped
sym_u3 (sym_u3)-  - Disabled/Stopped
sysaudio (Microsoft Kernel System Audio Device)- C:\WINDOWS\system32\drivers\sysaudio.sys - Manual/Running
Tcpip (TCP/IP Protocol Driver)- C:\WINDOWS\system32\DRIVERS\tcpip.sys - System/Running
TDPIPE (TDPIPE)- C:\WINDOWS\system32\drivers\TDPIPE.sys - Manual/Stopped
TDTCP (TDTCP)- C:\WINDOWS\system32\drivers\TDTCP.sys - Manual/Stopped
TermDD (Terminal Device Driver)- C:\WINDOWS\system32\DRIVERS\termdd.sys - System/Running
TosIde (TosIde)-  - Disabled/Stopped
Udfs (Udfs)- C:\WINDOWS\system32\drivers\Udfs.sys - Disabled/Stopped
ultra (ultra)-  - Disabled/Stopped
Update (Microcode Update Driver)- C:\WINDOWS\system32\DRIVERS\update.sys - Manual/Running
usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver)- C:\WINDOWS\system32\DRIVERS\usbehci.sys - Manual/Running
usbhub (USB2 Enabled Hub)- C:\WINDOWS\system32\DRIVERS\usbhub.sys - Manual/Running
usbprint (Microsoft USB PRINTER Class)- C:\WINDOWS\system32\DRIVERS\usbprint.sys - Manual/Running
USBSTOR (USB Mass Storage Driver)- C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Manual/Stopped
usbuhci (Microsoft USB Universal Host Controller Miniport Driver)- C:\WINDOWS\system32\DRIVERS\usbuhci.sys - Manual/Running
VgaSave (VgaSave)- C:\WINDOWS\system32\drivers\vga.sys - System/Running
ViaIde (ViaIde)-  - Disabled/Stopped
VolSnap (VolSnap)- C:\WINDOWS\system32\drivers\VolSnap.sys - Boot/Running
Wanarp (Remote Access IP ARP Driver)- C:\WINDOWS\system32\DRIVERS\wanarp.sys - Manual/Running
WDICA (WDICA)-  - Manual/Stopped
wdmaud (Microsoft WINMM WDM Audio Compatibility Driver)- C:\WINDOWS\system32\drivers\wdmaud.sys - Manual/Running
WNTHW (WNTHW)- \??\C:\WINDOWS\system32\DRIVERS\WNTHW.SYS - Auto/Running
WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver)- C:\WINDOWS\system32\DRIVERS\WudfPf.sys - Manual/Stopped
WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector)- C:\WINDOWS\system32\DRIVERS\wudfrd.sys - Manual/Stopped

====== Uninstall List ======

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
ATI - Software Uninstall Utility
ATI Display Driver
CCleaner
CPUID CPU-Z 1.52.2
HijackThis 2.0.2
hp deskjet 960c series (Remove only)
hp deskjet 960c series
Windows Internet Explorer 8
Update for Windows XP (KB898461)
Microsoft Base Smart Card Cryptographic Service Provider Package
Hotfix for Windows XP (KB915800-v4)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Windows PowerShell(TM) 1.0
Windows PowerShell(TM) 1.0 MUI pack
Hotfix for Windows Media Format 11 SDK (KB929399)
Security Update for Windows XP (KB938464-v2)
Hotfix for Windows Media Player 11 (KB939683)
Windows Search 4.0
Security Update for Windows XP (KB941569)
Update for Windows XP (KB943729)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Update for Windows XP (KB951978)
Security Update for Windows XP (KB952004)
Security Update for Windows Media Player (KB952069)
Hotfix for Windows XP (KB952287)
Security Update for Windows XP (KB952954)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Hotfix for Windows XP (KB961118)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows Search 4 - KB963093
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Security Update for Windows XP (KB968537)
Security Update for Windows Media Player (KB968816)
Security Update for Windows XP (KB970238)
Hotfix for Windows XP (KB970653-v3)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows Media Player (KB973540)
Update for Windows XP (KB973815)
Security Update for Windows XP (KB973869)
Update for Windows Internet Explorer 8 (KB973874)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 3.5 SP1
Mozilla Firefox (3.5.7)
Microsoft Compression Client Pack 1.0 for Windows XP
Novell Client for Windows
Novell iPrint Client v05.12.00
Novell iPrint Client v05.12.00
Microsoft Office Professional Plus 2007
Intel(R) PRO Network Adapters and Drivers
SpywareBlaster 4.2
VideoLAN VLC media player 0.8.6d
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
Novell ZENworks
remotemanagement-langs
ZENworks Action Utilities
primary-agent-langs
ZENworks Version Information
ZENworks Agent System Update Module
ATI Control Panel
policy-langs
McAfee VirusScan Enterprise
content-distribution-point-langs
Novell ZENworks Adaptive Agent Help
ZENworks Windows UI
ZENworks Extensions Libraries
Java(TM) 6 Update 17
ZENworks Imaging Server
zencore-agent-langs
ZENworks Agent Core Modules
inventory-langs
ZENworks Content Distribution Point
ZENworks Agent Bundle Management
Paint.NET v3.5.1
ZENworks Status Collection Point
WinProxy-langs
ZENworks Information Icon
zennotifyicon-langs
ZENworks Remote Management
ZENworks Policy Libraries
ZENworks Primary Agent
bundle-langs
ZENworks Action Handlers
actions-langs
Microsoft Silverlight
ZENworks Uninstaller
ZENworks Agent WinProxy Module
Action Handler Resources
Microsoft Office Professional Plus 2007
Update for Outlook 2007 Junk Email Filter (kb973514)
Microsoft Office 2007 Service Pack 2 (SP2)
Security Update for Microsoft Office system 2007 (KB969613)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Security Update for 2007 Microsoft Office System (KB969559)
Update for Microsoft Office Outlook 2007 (KB969907)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office Excel 2007 (KB969682)
Update for 2007 Microsoft Office System (KB967642)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Word 2007 (KB969604)
Microsoft Office Access MUI (English) 2007
Microsoft Office 2007 Service Pack 2 (SP2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Update for Microsoft Office Access 2007 Help (KB963663)
Microsoft Office Excel MUI (English) 2007
Update for Microsoft Office Excel 2007 Help (KB963678)
Microsoft Office 2007 Service Pack 2 (SP2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office 2007 Service Pack 2 (SP2)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Microsoft Office Publisher MUI (English) 2007
Update for Microsoft Office Publisher 2007 Help (KB963667)
Microsoft Office 2007 Service Pack 2 (SP2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Microsoft Office Outlook MUI (English) 2007
Update for Microsoft Office Outlook 2007 Help (KB963677)
Microsoft Office 2007 Service Pack 2 (SP2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Microsoft Office Word MUI (English) 2007
Microsoft Office 2007 Service Pack 2 (SP2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Update for Microsoft Office Word 2007 Help (KB963665)
Microsoft Office Proof (English) 2007
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proof (French) 2007
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Microsoft Office Proofing (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office 2007 Service Pack 2 (SP2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Update for Microsoft Office Infopath 2007 Help (KB963662)
Microsoft Office Shared MUI (English) 2007
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{62B488BC-CF0C-4F0D-AAAF-E141DA40E206}\DisplayName
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Script Editor Help (KB963671)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office 2007 Service Pack 2 (SP2)
ZENworks Policy Handlers
ZENworks Agent Inventory Management
Policy Action Handler Resources
NMAS Client
ZENworks Image Management
Microsoft .NET Framework 3.0 Service Pack 2
Policy Handler Resources
Novell ZENworks Remote Management
Adobe Reader 9.2
Microsoft Office Live Add-in 1.4
OGA Notifier 2.0.0048.0
Novell CASA Authentication Token Client
Spybot - Search & Destroy
ZENworks Agent Policy Management
ZENworks Actions
NMAS Challenge Response Method
Microsoft .NET Framework 2.0 Service Pack 2
status-collection-point-langs
ZENworks Image-Safe Data Agent
Microsoft .NET Framework 1.1
Microsoft .NET Framework 3.5 SP1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
ZENworks User Management
CASA
usermanagement-langs
NICI (Shared) U.S./Worldwide (128 bit) (2.7.3-1)
SoundMAX
McAfee Agent
windows-desktop-langs

======== Other Info ========

TOTAL PHYSICAL RAM: 3219 MB

Boot Info

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

OS Type:  Microsoft Windows XP Professional
Build:  5.1.2600
Service Pack:  3.0

====== Files with Hidden Attributes======
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\NTDETECT.COM
C:\Documents and Settings\administrator\NTUSER.DAT
C:\Documents and Settings\administrator\IETldCache\index.dat
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
C:\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Default User\NTUSER.DAT

==End of Report==

20.5K Posts

February 2nd, 2010 17:00

Unless my eyes are failing me, I do not see what could be causing those redirects.

You might as well delete these if you still have them:

If you have used any of the following, you can delete these now:

DDS

GMER

DDS.txt

Attach.txt

FileLister

To clean up ComboFix, please do the followung:

Because the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, along with the folders created by these tools.

* Click Start then Run
Copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and / Then hit enter.

This will remove ComboFix, run some cleanup procedures, and flush System Restore, thus creating a clean Restore Point.

No Events found!

Top