1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Deadly 66.230.188.67 virus

Discussion in 'Windows - Virus and spyware problems' started by slub77, Sep 14, 2010.

  1. slub77

    slub77 Member

    Joined:
    Sep 14, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    I keep getting redirected to various pages when ever i click links, checking what it normally redirects to me to: 66.230.188.67 : and then to a diffrent site.
    This is getting veryyyyyyyyyyyy annoying and i i am sure it's doing more then redirecting me.
    Now i have scanned using all most everything here is my Hijackthis file log:


     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    slub77,

    Use HijackThis to Fix (remove) the following lines:

    O4 - HKLM\..\RunOnce: [*msgauthparse.exe] "C:\WINDOWS\system32\config\systemprofile\msgauthparse.exe"

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    Go to Safe Mode by tapping F8 while rebooting.

    In Safe Mode use Windows Explorer to follow the path to and delete the file in Red.
    C:\WINDOWS\system32\config\systemprofile\msgauthparse.exe


    Reboot:

    Download and run SuperAntiSpyware and post the Log here.

    I don’t see an AntiVirus running on this computer. You need one!

    Free AntiVirus, choose one here:
    http://www.techsupportalert.com/best-free-anti-virus-software.htm
     
    Last edited: Sep 14, 2010
  3. slub77

    slub77 Member

    Joined:
    Sep 14, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Ok i have done as you said here is the log from SuperAntiSpyware :)

    [​IMG]


    That's the only thing it fount.
     
    Last edited: Sep 15, 2010
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    ok, what's the outcome? how's the 'puter acting?




    p.s. that's not the "Log"
     
    Last edited: Sep 15, 2010
  5. slub77

    slub77 Member

    Joined:
    Sep 14, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Well now when i scan it it still says it's clean, so i will see how it is today, then report back tomorrow :)
     
  6. slub77

    slub77 Member

    Joined:
    Sep 14, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    Still bad news it seems to still be happening.
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Scratching my head..... gee I haven't a clue, yet.

    Try running MalwareBytes and post the whole log. maybe can see something there..
     
  8. slub77

    slub77 Member

    Joined:
    Sep 14, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Doesn't look like you removed anything i.e. -> No action taken.

    When the scan is complete, click OK, then Show Results to view the results.
    Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.


    also give an update on how it's acting.....
     
  10. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Hello,

    I am having the same issue. All my search links (both from Google and Yahoo) are getting redirected to some random ad sites when clicked. I ran a full McCafee scan, full MalwareBytes scan and also ran the Spybot S&D. Nothing is helping. Here is my HJT log file. Please help! Thanks.

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:30:30 PM, on 9/22/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18928)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.cci.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Make a Screenshot - res://C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
    O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
    O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
    O15 - Trusted Zone: *.perotsystems.com
    O15 - Trusted Zone: *.perotsystems.net
    O15 - Trusted Zone: *.ps.net
    O15 - Trusted Zone: *.scglobal.com
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://psconnectvpn.perotsystems.com/vdesk/terminal/InstallerControl.cab
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://psconnectvpn.perotsystems.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0828,1604
    O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://gmgdvs01.gmsg.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
    O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (IBM Browser plug-in for documents) - http://portalprodqkr.venturafoods.c...com.ibm.wps.dm/jsp/common/plugin/DMPlugin.cab
    O16 - DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} (JDEWebRTFEditU Control) - http://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
    O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - https://train.ps.net/orgchart/OrgPubX.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://psconnectvpn.perotsystems.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
    O16 - DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} (JDEExcelAutoU Control) - http://localhost:8888/jde/axctls/jdeexpimpU.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
    O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: OracleE1LocalTNSListener - Unknown owner - C:\Oracle\E1Local\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceE1LOCAL - Oracle Corporation - c:\oracle\e1local\bin\ORACLE.EXE
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
    O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

    --
    End of file - 12225 bytes
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi funkk,

    Use HijackThis to "Fix" the following lines:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.cci.com:8080

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>


    After removing those lines run a complete scan with SUPERAntiSpyware and remove anything it finds.

    Then let us know how it's going...
     
  12. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Thank you. I removed those 2 entries. Its still doing the same... I am now downloading SUPERAntiSpyware. Will install and do the clean up using that. Also, I ran the Hitman Pro, a malware removal software suggested in several websites for this google redirect virus, it keeps complaining about wininit.exe as RootKit virus infected. But I have Vista and thought wininit.exe is needed for Vista and no issue there.

    I will let you know after I run the SUPERAntiSpyware. Please let me know if anything else I should do on the wininit.exe part. Thanks again.
     
  13. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Here is the update. I ran the SuperAntiSpyware and it found about 75 adware infections. Fixed all of them. It didnt report anything else. But I still have the same issue. Google search links are redirecting to random ad websites.

    One other thing I noticed, which may give you some insight: WHen I double click IE to open, it flickers the first 2 or 3 times and doesnt open the browser. I can see the browser trying to open, like a flicker and it closes right away, you dont see the whole browser but just an attempt to open. It happens the first 2 or 3 times and only opens on 3rd or 4th attempt. I ran complete virus scan with McCafe...ran the Malwarebytes full scan...ran the spybot S&D...ran the Hitman Pro...now ran the SUPERantispyware full scan too... nothing seemed to have any difference... Any clues? Here is the latest HJT log files. Please help. Thanks again for your time and help.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:40:34 AM, on 9/23/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18928)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://train.ps.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Lotus Quickr Monitor.lnk = C:\Program Files\IBM\Lotus Quickr connectors\DIMon.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Make a Screenshot - res://C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
    O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: IE Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
    O9 - Extra 'Tools' menuitem: Make a Screenshot - {84A11D82-2732-40ed-BF71-80F1FAF3807F} - C:\PROGRA~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL (HKCU)
    O15 - Trusted Zone: *.perotsystems.com
    O15 - Trusted Zone: *.perotsystems.net
    O15 - Trusted Zone: *.ps.net
    O15 - Trusted Zone: *.scglobal.com
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://psconnectvpn.perotsystems.com/vdesk/terminal/InstallerControl.cab
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://psconnectvpn.perotsystems.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0828,1604
    O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://gmgdvs01.gmsg.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
    O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (IBM Browser plug-in for documents) - http://portalprodqkr.venturafoods.c...com.ibm.wps.dm/jsp/common/plugin/DMPlugin.cab
    O16 - DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} (JDEWebRTFEditU Control) - http://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
    O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - https://train.ps.net/orgchart/OrgPubX.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://psconnectvpn.perotsystems.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
    O16 - DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} (JDEExcelAutoU Control) - http://localhost:8888/jde/axctls/jdeexpimpU.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
    O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: OracleE1LocalTNSListener - Unknown owner - C:\Oracle\E1Local\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceE1LOCAL - Oracle Corporation - c:\oracle\e1local\bin\ORACLE.EXE
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
    O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

    --
    End of file - 12019 bytes
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     
  14. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Hello 2OldGeek,

    Please help! Anything else I can try to get rid of this virus. None of the antivirus anti-malware software I have seem to help with this. I can't do any search on google or yahoo either. Links from both of them are getting redirected to some random ad sites. Please help. Thanks,
     
  15. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    funkk,

    Well it looks like you've picked up a tough one.

    I see you're using Vista and it looks like the 32bit version.. If it's 64bit the following won't work so, don't even try it..... let me know and maybe we can figure something else out...

    When done with this please post the log and I will go through it. I will be tied up this weekend but will try to get back to you as soon as possible.


    Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.


    1. Download Combo fix from one of these locations.
    * IMPORTANT !!! Place combofix.exe on your Desktop but DO NOT RUN IT!

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://subs.geekstogo.com/ComboFix.exe

    2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.




    [​IMG]


    3. Combo will begin to run DO NOTHING while this is happening.
    • It will kill a few processes and disconnect you from the internet.
    • If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
    • This needs to be done so the program can work most efficiently for you.
    Do not attempt to use the internet or anything else while it's doing its job for you.

    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.

    If when it's completed you can not get on the internet just reboot the computer

    Post the log from comboFix for me located in
    c:\comboFix.txt



    2oG
     
  16. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Sorry for the late respone. Had an emergency work that kept me out for few days. Thanks for all your help. ComboFix seems to have taken care of the issue. I tried few different searches and links and everything is working fine. Thanks again for all your help and time.
     
  17. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    That's great, funkk.

    If you will post the Log from comboFix for me located in
    c:\comboFix.txt we'll see if you have any underlying problems, like rootkits, that may come back to haunt you..... you may not be clean, yet...

    2oG
     
  18. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Hello 2oldGeek,

    Here is the log file combofix.txt found in the computer. Please let me know if I should be worried. Thanks.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ComboFix 10-09-24.05 - MuthupK 09/25/2010 8:54.1.2 - x86
    Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.3571.2543 [GMT -5:00]
    Running from: c:\users\MUTHUPK\Desktop\combofix.exe
    Command switches used :: /killall
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
    c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
    c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}
    c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\chrome.manifest
    c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\chrome\content\_cfg.js
    c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\chrome\content\overlay.xul
    c:\users\MUTHUPK\AppData\Local\{66C39361-6E4A-4FBE-A537-C64578D1FB4E}\install.rdf

    ----- BITS: Possible infected sites -----

    hxxp://psc.perotsystems.net:80
    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe

    Infected copy of c:\windows\System32\wininit.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
    .

    2010-09-25 14:01 . 2010-09-25 20:10 -------- d-----w- c:\users\MUTHUPK\AppData\Local\temp
    2010-09-25 14:01 . 2010-09-25 14:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-25 14:01 . 2010-09-25 14:01 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-09-24 17:50 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-09-24 17:50 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-09-24 17:50 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-09-24 17:50 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-09-24 17:50 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-09-24 17:50 . 2010-09-24 17:50 -------- d-----w- c:\program files\Trojan Remover
    2010-09-24 17:50 . 2010-09-24 17:50 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Simply Super Software
    2010-09-24 17:50 . 2010-09-24 17:50 -------- d-----w- c:\programdata\Simply Super Software
    2010-09-24 16:52 . 2010-09-24 16:53 -------- d-----w- c:\program files\QuickTime
    2010-09-23 12:45 . 2010-09-23 12:45 63488 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-09-23 12:45 . 2010-09-23 12:45 52224 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-09-23 12:45 . 2010-09-23 12:45 117760 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com
    2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-09-22 22:27 . 2010-09-22 22:27 388096 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-22 22:27 . 2010-09-22 22:27 -------- d-----w- c:\program files\Trend Micro
    2010-09-22 19:42 . 2010-09-24 17:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-09-22 19:42 . 2010-09-22 19:46 -------- d-----w- c:\programdata\Hitman Pro
    2010-09-22 19:42 . 2010-09-22 19:42 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-09-22 02:34 . 2010-09-22 02:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-09-22 02:34 . 2010-09-22 02:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-09-21 16:17 . 2010-09-21 16:17 120 ----a-w- c:\users\MUTHUPK\AppData\Local\Gveqahi.dat
    2010-09-21 16:17 . 2010-09-21 16:17 0 ----a-w- c:\users\MUTHUPK\AppData\Local\Xbalexizuxawo.bin
    2010-09-06 16:35 . 2007-03-23 10:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-25 20:11 . 2009-11-02 21:35 158395 ----a-w- c:\programdata\nvModes.dat
    2010-09-21 16:47 . 2010-06-12 21:40 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Ripen
    2010-09-21 16:47 . 2010-08-11 22:46 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Koemyx
    2010-09-11 19:07 . 2009-12-09 22:20 -------- d-----w- c:\programdata\FLEXnet
    2010-09-04 20:02 . 2009-03-18 20:01 -------- d-----w- c:\program files\Common Files\Adobe
    2010-08-26 13:39 . 2010-08-26 13:39 -------- d-----w- c:\programdata\Brother
    2010-08-18 18:11 . 2010-08-18 18:10 -------- d-----w- c:\program files\SpeedFan
    2010-08-04 04:36 . 2010-08-04 04:32 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-08-03 03:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-08-03 03:45 . 2009-03-18 19:48 -------- d-----w- c:\programdata\Microsoft Help
    2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe
    2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe
    2010-07-03 23:09 . 2010-07-03 23:09 439816 ----a-w- c:\users\MUTHUPK\AppData\Roaming\Real\Update\setup3.11\setup.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-23 483420]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13605408]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 92704]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-03-11 96800]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-06-16 624056]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-07-05 1167296]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Lotus Quickr Monitor.lnk - c:\program files\IBM\Lotus Quickr connectors\DIMon.exe [2009-11-2 591496]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\0\0]
    "Script"=PerotLogon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\1\0]
    "Script"=PerotLogon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
    backup=c:\windows\pss\VPN Client.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MeetingLauncher]
    2009-11-03 16:50 480560 ----a-w- c:\program files\Web Meeting\Modules\Launcher\mcLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2008-02-26 17:57 128296 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-10-09 19:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-12 13:12 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001

    R3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\system32\DRIVERS\dc21x4vm.sys [2006-11-02 52224]
    R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [2009-10-27 54544]
    R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [2009-10-27 22032]
    R3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys [2009-10-27 160400]
    R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [2009-10-27 12048]
    R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [2009-10-27 160400]
    R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [2009-10-27 115216]
    R3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys [2009-10-27 160400]
    R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [2009-10-27 160400]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
    R4 OracleJobSchedulerE1LOCAL;OracleJobSchedulerE1LOCAL;c:\oracle\e1local\Bin\extjob.exe E1LOCAL [x]
    R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
    R4 WQ_USBCBAF;WiQuest Cable Association driver;c:\windows\system32\drivers\wq_cba.sys [2008-08-27 34104]
    R4 WQ_USBDWA;WiQuest Device Wire Adapter driver;c:\windows\system32\drivers\wq_dwa.sys [2008-08-27 112184]
    R4 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\wq_hwa.sys [2008-08-27 176696]
    R4 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\wq_ldr.sys [2008-08-27 33720]
    R4 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\wq_rci.sys [2008-08-27 79416]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe [2009-02-12 81920]
    S2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\DRIVERS\CdpPacket.sys [2007-09-07 35692]
    S2 OracleE1LocalTNSListener;OracleE1LocalTNSListener;c:\oracle\E1Local\BIN\TNSLSNR [x]
    S2 OracleServiceE1LOCAL;OracleServiceE1LOCAL;c:\oracle\e1local\bin\ORACLE.EXE E1LOCAL [x]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-02-11 172328]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-04 224384]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
    S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-11-26 133472]
    S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-02-19 279520]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?hl=en
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Make a Screenshot - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
    IE: {{84A11D82-2732-40ed-BF71-80F1FAF3807F} - {6BFA42E6-23F8-4ca7-A4E2-680EFB1F6DAE} - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
    Trusted Zone: perotsystems.com
    Trusted Zone: perotsystems.net
    Trusted Zone: ps.net
    Trusted Zone: scglobal.com
    DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxp://gmgdvs01.gmsg.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
    DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} - hxxp://portalprodqkr.venturafoods.com:10038/lotus/PA_1_3F2DNS521GKI602HUIA3VB00K5/plugins/com.ibm.wps.dm/jsp/common/plugin/DMPlugin.cab
    DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
    DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxps://train.ps.net/orgchart/OrgPubX.cab
    DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://localhost:8888/jde/axctls/jdeexpimpU.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    ActiveSetup-{095DE041-4EC2-4FAE-A23C-401B47593EF4} - del



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-25 15:11
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP0000004050F795056ABE235E 524288 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OracleE1LocalTNSListener]
    "ImagePath"="c:\oracle\E1Local\BIN\TNSLSNR "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(3120)
    c:\program files\IBM\Lotus Quickr connectors\DINSE.dll
    c:\program files\IBM\Lotus Quickr connectors\DICore.dll
    c:\program files\IBM\Lotus Quickr connectors\xerces240.dll
    c:\program files\IBM\Lotus Quickr connectors\DILibDocs.dll
    c:\program files\IBM\Lotus Quickr connectors\DIRes.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\oracle\E1Local\BIN\TNSLSNR.exe
    c:\oracle\e1local\bin\ORACLE.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\windows\system32\rundll32.exe
    c:\windows\System32\rundll32.exe
    c:\windows\System32\rundll32.exe
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\DellTPad\Apntex.exe
    c:\program files\Hitman Pro 3.5\HitmanPro35.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-25 15:15:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-25 20:15

    Pre-Run: 22,274,486,272 bytes free
    Post-Run: 21,657,870,336 bytes free

    - - End Of File - - 3BFCD19BC6D65FBBC8FB49A718003D6D
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     
  19. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    ComboFix fix

    You have a Rootkit that may or may not cause problems because it has been disconnected but it’s best to remove it. Assuming you still have ComboFix, if not, please download it.
    1. Close any open browsers
    2. Please Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
    3. open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

    Code:
    Rootkit::
    c:\windows\TEMP\TMP0000004050F795056ABE235E 524288 bytes
    Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



    [​IMG]

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



    That will clear you and the next thing you should do is Uninstall ComboFix (just deleting it does not remove it)

    Click START then RUN
    Now copy/paste Combofix /u in runbox and click OK.
    Note the space between the X and the U, it needs to be there.


    [​IMG]
    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


    2oG
     
    Last edited: Sep 30, 2010
  20. funkk

    funkk Member

    Joined:
    Sep 22, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Thanks for the detailed instructions. I did run the combofix again as you suggested. Here is the log file from this run: Please let me know what i should do next, if any. Thanks again.

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ComboFix 10-09-29.04 - MuthupK 09/30/2010 12:06:46.2.2 - x86
    Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.3571.2241 [GMT -5:00]
    Running from: c:\users\MUTHUPK\Desktop\ComboFix.exe
    Command switches used :: c:\users\MUTHUPK\Desktop\CFScript.txt
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
    .

    2010-09-30 17:11 . 2010-09-30 17:15 -------- d-----w- c:\users\MUTHUPK\AppData\Local\temp
    2010-09-30 17:11 . 2010-09-30 17:11 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-09-30 17:11 . 2010-09-30 17:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-30 17:11 . 2010-09-30 17:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-09-24 16:52 . 2010-09-24 16:53 -------- d-----w- c:\program files\QuickTime
    2010-09-23 12:45 . 2010-09-23 12:45 63488 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-09-23 12:45 . 2010-09-23 12:45 52224 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-09-23 12:45 . 2010-09-23 12:45 117760 ----a-w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\SUPERAntiSpyware.com
    2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-09-23 12:45 . 2010-09-23 12:45 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-09-22 22:27 . 2010-09-22 22:27 388096 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-22 22:27 . 2010-09-22 22:27 -------- d-----w- c:\program files\Trend Micro
    2010-09-22 19:42 . 2010-09-25 20:15 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-09-22 19:42 . 2010-09-22 19:46 -------- d-----w- c:\programdata\Hitman Pro
    2010-09-22 19:42 . 2010-09-22 19:42 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-09-22 02:34 . 2010-09-22 02:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-09-22 02:34 . 2010-09-22 02:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-09-21 16:17 . 2010-09-21 16:17 120 ----a-w- c:\users\MUTHUPK\AppData\Local\Gveqahi.dat
    2010-09-21 16:17 . 2010-09-21 16:17 0 ----a-w- c:\users\MUTHUPK\AppData\Local\Xbalexizuxawo.bin
    2010-09-06 16:35 . 2007-03-23 10:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-30 17:15 . 2009-11-02 21:35 158395 ----a-w- c:\programdata\nvModes.dat
    2010-09-21 16:47 . 2010-06-12 21:40 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Ripen
    2010-09-21 16:47 . 2010-08-11 22:46 -------- d-----w- c:\users\MUTHUPK\AppData\Roaming\Koemyx
    2010-09-11 19:07 . 2009-12-09 22:20 -------- d-----w- c:\programdata\FLEXnet
    2010-09-04 20:02 . 2009-03-18 20:01 -------- d-----w- c:\program files\Common Files\Adobe
    2010-08-26 13:39 . 2010-08-26 13:39 -------- d-----w- c:\programdata\Brother
    2010-08-18 18:11 . 2010-08-18 18:10 -------- d-----w- c:\program files\SpeedFan
    2010-08-04 04:36 . 2010-08-04 04:32 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-08-03 03:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-08-03 03:45 . 2009-03-18 19:48 -------- d-----w- c:\programdata\Microsoft Help
    2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe
    2010-07-16 15:55 . 2010-07-16 15:55 45056 ----a-r- c:\users\MUTHUPK\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe
    2010-07-03 23:09 . 2010-07-03 23:09 439816 ----a-w- c:\users\MUTHUPK\AppData\Roaming\Real\Update\setup3.11\setup.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-23 483420]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13605408]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 92704]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-03-11 96800]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-06-16 624056]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-12 202256]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Lotus Quickr Monitor.lnk - c:\program files\IBM\Lotus Quickr connectors\DIMon.exe [2009-11-2 591496]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\0\0]
    "Script"=PerotLogon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63169\Scripts\Logon\1\0]
    "Script"=PerotLogon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
    backup=c:\windows\pss\VPN Client.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MeetingLauncher]
    2009-11-03 16:50 480560 ----a-w- c:\program files\Web Meeting\Modules\Launcher\mcLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2008-02-26 17:57 128296 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-10-09 19:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-03-12 13:12 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001

    R3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\system32\DRIVERS\dc21x4vm.sys [2006-11-02 52224]
    R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-09-25 16968]
    R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [2009-10-27 54544]
    R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [2009-10-27 22032]
    R3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys [2009-10-27 160400]
    R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [2009-10-27 12048]
    R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [2009-10-27 160400]
    R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [2009-10-27 115216]
    R3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys [2009-10-27 160400]
    R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [2009-10-27 160400]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
    R4 OracleJobSchedulerE1LOCAL;OracleJobSchedulerE1LOCAL;c:\oracle\e1local\Bin\extjob.exe E1LOCAL [x]
    R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
    R4 WQ_USBCBAF;WiQuest Cable Association driver;c:\windows\system32\drivers\wq_cba.sys [2008-08-27 34104]
    R4 WQ_USBDWA;WiQuest Device Wire Adapter driver;c:\windows\system32\drivers\wq_dwa.sys [2008-08-27 112184]
    R4 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\wq_hwa.sys [2008-08-27 176696]
    R4 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\wq_ldr.sys [2008-08-27 33720]
    R4 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\wq_rci.sys [2008-08-27 79416]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe [2009-02-12 81920]
    S2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\DRIVERS\CdpPacket.sys [2007-09-07 35692]
    S2 OracleE1LocalTNSListener;OracleE1LocalTNSListener;c:\oracle\E1Local\BIN\TNSLSNR [x]
    S2 OracleServiceE1LOCAL;OracleServiceE1LOCAL;c:\oracle\e1local\bin\ORACLE.EXE E1LOCAL [x]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-02-11 172328]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-04 224384]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
    S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-11-26 133472]
    S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-02-19 279520]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig?hl=en
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Make a Screenshot - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL/202
    IE: {{84A11D82-2732-40ed-BF71-80F1FAF3807F} - {6BFA42E6-23F8-4ca7-A4E2-680EFB1F6DAE} - c:\progra~1\BROWSE~1\IESCRE~1\IESCRE~1.DLL
    Trusted Zone: perotsystems.com
    Trusted Zone: perotsystems.net
    Trusted Zone: ps.net
    Trusted Zone: scglobal.com
    DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxp://gmgdvs01.gmsg.net:1024/VirtualServer/activex/VMRCActiveXClient.cab
    DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} - hxxp://portalprodqkr.venturafoods.com:10038/lotus/PA_1_3F2DNS521GKI602HUIA3VB00K5/plugins/com.ibm.wps.dm/jsp/common/plugin/DMPlugin.cab
    DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://jdesbx1.scglobal.com:7777/jde/axctls/jdewebctlsU.cab
    DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxps://train.ps.net/orgchart/OrgPubX.cab
    DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://localhost:8888/jde/axctls/jdeexpimpU.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-30 12:15
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OracleE1LocalTNSListener]
    "ImagePath"="c:\oracle\E1Local\BIN\TNSLSNR "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(2860)
    c:\program files\IBM\Lotus Quickr connectors\DINSE.dll
    c:\program files\IBM\Lotus Quickr connectors\DICore.dll
    c:\program files\IBM\Lotus Quickr connectors\xerces240.dll
    c:\program files\IBM\Lotus Quickr connectors\DILibDocs.dll
    c:\program files\IBM\Lotus Quickr connectors\DIRes.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\oracle\E1Local\BIN\TNSLSNR.exe
    c:\oracle\e1local\bin\ORACLE.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\msiexec.exe
    c:\windows\System32\rundll32.exe
    c:\windows\System32\rundll32.exe
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\DellTPad\Apntex.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\windows\system32\wbem\WmiApSrv.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-30 12:21:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-30 17:21
    ComboFix2.txt 2010-09-25 20:15

    Pre-Run: 22,401,675,264 bytes free
    Post-Run: 22,005,366,784 bytes free

    - - End Of File - - A25173DC166A092C6F9FC1961762646E
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     

Share This Page