Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

internet not working - registry keys deleted by malware

(In Progress)
(!)

thermo's Avatar
thermo thermo is offline
Computer Specs
Member with 4 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
10-Apr-2012, 01:30 PM #1
Smile internet not working - registry keys deleted by malware
I saw several other threads were to run FSS, so I did too:

Farbar Service Scanner Version: 01-03-2012
Ran by engineer (administrator) on 10-04-2012 at 12:29:02
Running from "E:\work"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.
Checking LEGACY_IpSec: Attention! Unable to open LEGACY_IpSec\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
acsint(9) acsmux(10) Gpc(6) IPSec(5) mfetdi2k(8) mfetdik(8) NetBT(5) PSched(7) Tcpip(3)
0x0A00000004000000010000000200000003000000080000000500000006000000070000000 90000000A000000
Attention! IpSec Tag value should be 4.

**** End of log ****

Thanks in advance
etaf's Avatar
etaf   (Wayne) etaf is offline
Computer Specs
Moderator with 52,047 posts.
 
Join Date: Oct 2003
Location: Surrey, UK
10-Apr-2012, 01:36 PM #2
have a read here
http://forums.techguy.org/virus-othe...e-posting.html

and post the logs - need to make sure the PC is clean from any malware/virus
thermo's Avatar
thermo thermo is offline
Computer Specs
Member with 4 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
10-Apr-2012, 04:47 PM #3
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:44:00 PM, on 4/10/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\engineer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=3070731
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/hws/sb/dell-...tml?channel=uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-...tml?channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:18810
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] "C:\Program Files\Wave Systems Corp\SecureUpgrade.exe"
O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [DellConnectionManager] "C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [drivermgr] C:\Documents and Settings\engineer\Application Data\devicemgrpro.exe
O4 - HKLM\..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\engineer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [lntnwfwi] C:\DOCUME~1\engineer\LOCALS~1\Temp\xiupukroq\lwbsmyosika.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NextMove PCI (2) Auto Initialization.lnk = C:\Program Files\Mint Machine Center\PCIWizard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29B16EC0-2500-4DFF-9B5A-E87BAEBAA2C3}: NameServer = 130.207.244.244,130.207.244.251
O17 - HKLM\System\CS1\Services\Tcpip\..\{29B16EC0-2500-4DFF-9B5A-E87BAEBAA2C3}: NameServer = 130.207.244.244,130.207.244.251
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: NecUsb3Sevices - USB3Sw32.dll (file missing)
O20 - Winlogon Notify: USB3Sw32 - USB3Sw32.dll (file missing)
O23 - Service: Invoker (amoagent) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Pmj151la (as32svc) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Ntsvcmgr (cdrbsdrv) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Was (crystalinputfileserver) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Device Manager - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: EventServer - TODO: <Company name> - C:\Program Files\Thermo\Avantage\Bin\EventServer.exe
O23 - Service: UMPass (FETNDIS) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Smith Micro Connection Manager Service (SMManager) - Smith Micro Software, Inc. - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
O23 - Service: Spectrometer - Unknown owner - C:\Program Files\Thermo\Avantage\Bin\Spectrometer.exe
O23 - Service: Syntek STK1150 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
O23 - Service: Ma763004 (winpppoverethernet) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: OsaFsLoc (ZY202_XP) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)

--
End of file - 11118 bytes


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by engineer at 13:44:24 on 2012-04-10
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2030.1427 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
uDefault_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=3070731
uInternet Settings,ProxyServer = http=127.0.0.1:18810
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\engineer\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [lntnwfwi] c:\docume~1\engineer\locals~1\temp\xiupukroq\lwbsmyosika.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [<NO NAME>]
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [drivermgr] c:\documents and settings\engineer\application data\devicemgrpro.exe
mRun: [Cisco AnyConnect Secure Mobility Agent for Windows] "c:\program files\cisco\cisco anyconnect secure mobility client\vpnui.exe" -minimized
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nextmo~1.lnk - c:\program files\mint machine center\PCIWizard.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{29B16EC0-2500-4DFF-9B5A-E87BAEBAA2C3} : NameServer = 130.207.244.244,130.207.244.251
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\engineer\application data\mozilla\firefox\profiles\v5b2keq9.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\engineer\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-3-27 461864]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-9-19 24064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-3-28 89624]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2011-8-31 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-6-8 132416]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2011-8-31 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2011-8-31 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-3-27 148520]
R2 T226_1D;T226 Device Driver(T226_1D.sys);c:\windows\system32\drivers\T226_1D.sys [2009-10-14 31104]
R2 T237DRV;T237 Device Driver(T237DRV.sys);c:\windows\system32\drivers\T237DRV.sys [2009-10-14 29312]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-9-19 2066968]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2010-6-1 1590216]
R2 VGUSBDRV;T227 Device Driver(VGUSBDRV.sys);c:\windows\system32\drivers\VGUSBDRV.sys [2009-10-14 36736]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-9-19 144480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-3-27 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-3-27 59288]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-6-1 10688]
R3 USBMotion;USBMotion.SYS - USB Motion Controller;c:\windows\system32\drivers\USBMotion.sys [2009-10-14 19968]
S2 avg7alrt;Cdr4_xp;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 avg7rsw;W3svc;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
S2 clientservice;Camdrl;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 Device Manager;Device Manager;c:\documents and settings\engineer\application data\devicemgrsvc.bat [2012-3-24 115]
S2 lpx;Mvc25U870_VID_1262&PID_25FD;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 mcdetect.exe;Ashampoodefragservice;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 mcproxy;Clr_optimization_v2.0.50215_32;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 mcrdsvc;S616mdfl;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 navex15;Prismxl;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 ofcpfwsvc;Afs2k;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 ofcservice;W800mdfl;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-4-10 77824]
S2 T226_LDR;T226 Detector Firmware Loader (T226_LDR.sys);c:\windows\system32\drivers\T226_LDR.sys [2009-10-14 10496]
S2 T227_LDR;K-Alpha Spectrometer Firmware Loader (T227_LDR.sys);c:\windows\system32\drivers\T227_LDR.sys [2009-10-14 21888]
S2 T237_LDR;T237 Firmware Loader (T237_LDR.sys);c:\windows\system32\drivers\T237_LDR.sys [2009-10-14 14720]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\cisco\cisco anyconnect secure mobility client\vpnagent.exe [2012-1-13 476112]
S2 ZY202_XP;OsaFsLoc;\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs --> \\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs [?]
S3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [2012-3-25 38440]
S3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [2012-3-25 57000]
S3 EventServer;EventServer;c:\program files\thermo\avantage\bin\EventServer.exe [2010-8-6 135168]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-3-27 87808]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 Spectrometer;Spectrometer;c:\program files\thermo\avantage\bin\Spectrometer.exe [2010-8-6 598016]
S4 ACU;ACU;c:\docume~1\engineer\locals~1\temp\ACU.exe [2010-8-2 523136]
S4 HGIPYIKNBOZCJV;HGIPYIKNBOZCJV;c:\docume~1\engineer\locals~1\temp\HGIPYIKNBO ZCJV.exe [2010-8-2 543616]
.
=============== Created Last 30 ================
.
2012-04-10 16:49:04 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0a7bca64-f852-4f90-a24a-a5983279078d}\offreg.dll
2012-03-30 13:48:28 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0a7bca64-f852-4f90-a24a-a5983279078d}\mpengine.dll
2012-03-29 19:50:33 -------- d-----w- c:\documents and settings\engineer\application data\SUPERAntiSpyware.com
2012-03-28 13:31:04 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-28 13:30:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-28 06:02:40 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-03-27 18:36:58 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-03-27 17:40:58 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-27 17:40:58 65960 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2012-03-27 17:40:58 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-03-27 17:40:58 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-03-27 17:40:58 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2012-03-27 17:40:58 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-03-27 17:40:58 148520 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-27 17:40:58 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-03-27 03:19:34 1324 ----a-w- c:\documents and settings\engineer\local settings\application data\d3d9caps.tmp
2012-03-26 18:10:49 -------- d-----w- c:\documents and settings\engineer\.sslexplorer
2012-03-25 23:35:30 57000 ----a-r- c:\windows\system32\drivers\acsmux.sys
2012-03-25 23:35:29 38440 ----a-r- c:\windows\system32\drivers\acsint.sys
2012-03-25 23:35:24 -------- d-----w- c:\program files\Cisco
2012-03-24 15:38:15 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-24 15:37:08 115 ---h--w- c:\documents and settings\engineer\application data\devicemgrsvc.bat
2012-03-24 15:36:51 210051234 ----a-w- c:\documents and settings\engineer\application data\devicemgrpro.exe
2012-03-24 15:36:43 -------- d-----w- c:\documents and settings\engineer\local settings\application data\AppCore
2012-03-20 18:49:44 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-20 18:49:44 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-03-10 02:50:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-13 17:18:33 10704 ----a-w- c:\windows\system32\vpncategories.dll
2012-01-13 17:18:28 33232 ----a-w- c:\windows\system32\vpnevents.dll
2012-01-13 17:08:23 23464 ----a-w- c:\windows\system32\drivers\vpnva.sys
2012-01-13 17:08:20 409848 ----a-w- c:\windows\system32\vpngina.dll
.
============= FINISH: 13:45:30.73 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-04-10 16:43:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.02.0
Running: p8xqffdr.exe; Driver: C:\DOCUME~1\engineer\LOCALS~1\Temp\pwtdqpow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE1290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE12A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE12D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE1326]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE127C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE1254]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE1268]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE12BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE12FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE12E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE1350]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE133C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE1310]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
thermo's Avatar
thermo thermo is offline
Computer Specs
Member with 4 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
12-Apr-2012, 11:15 PM #4
Hi, I haven't received a reply within 48 hours, just wanted to make it more noticed. thanks
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 96,979 posts.
 
Join Date: Aug 2003
13-Apr-2012, 10:12 AM #5
Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2


--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your anti-Virus and anti-spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.



  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.



  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
__________________
Microsoft MVP - Consumer Security
thermo's Avatar
thermo thermo is offline
Computer Specs
Member with 4 posts.
THREAD STARTER
 
Join Date: Apr 2012
Experience: Beginner
18-Apr-2012, 09:13 PM #6
ComboFix 12-04-16.02 - expert 04/18/2012 21:03:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2030.1242 [GMT -4:00]
Running from: c:\documents and settings\expert\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\expert\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\expert\Local Settings\Application Data\{BA14C115-B92D-4DF3-A05C-1E20323B063A}
c:\documents and settings\expert\Local Settings\Application Data\{BA14C115-B92D-4DF3-A05C-1E20323B063A}\chrome.manifest
c:\documents and settings\expert\Local Settings\Application Data\{BA14C115-B92D-4DF3-A05C-1E20323B063A}\chrome\content\overlay.xul
c:\documents and settings\expert\Local Settings\Application Data\{BA14C115-B92D-4DF3-A05C-1E20323B063A}\install.rdf
c:\documents and settings\testuser\Local Settings\Application Data\{F560089D-429A-498A-8427-986035912176}
c:\documents and settings\testuser\Local Settings\Application Data\{F560089D-429A-498A-8427-986035912176}\chrome.manifest
c:\documents and settings\testuser\Local Settings\Application Data\{F560089D-429A-498A-8427-986035912176}\chrome\content\overlay.xul
c:\documents and settings\testuser\Local Settings\Application Data\{F560089D-429A-498A-8427-986035912176}\install.rdf
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 )))))))))))))))))))))))))))))))
.
.
2012-04-18 14:40 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{545A3E6E-0E3C-4931-934B-A77554B7B070}\mpengine.dll
2012-04-18 14:34 . 2012-04-18 14:34 -------- d-----w- c:\windows\LastGood
2012-04-18 14:28 . 2008-04-14 12:00 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-04-18 14:28 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-31 14:02 . 2012-03-31 14:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-03-28 13:57 . 2012-03-28 13:57 -------- d-----w- c:\documents and settings\expert\Application Data\Malwarebytes
2012-03-28 13:31 . 2012-03-28 13:31 -------- d-----w- c:\documents and settings\expert\Application Data\SUPERAntiSpyware.com
2012-03-28 13:31 . 2012-03-28 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-28 13:30 . 2012-03-28 13:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-28 06:02 . 2011-09-01 00:07 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-03-27 17:40 . 2011-09-01 00:07 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-27 17:40 . 2011-09-01 00:07 65960 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2012-03-27 17:40 . 2011-09-01 00:07 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-03-27 17:40 . 2011-09-01 00:07 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-03-27 17:40 . 2011-09-01 00:07 23864 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2012-03-27 17:40 . 2011-09-01 00:07 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-03-27 17:40 . 2011-09-01 00:07 148520 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-27 17:40 . 2011-09-01 00:07 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-03-27 17:00 . 2012-03-27 17:00 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2012-03-26 18:10 . 2012-03-26 18:10 -------- d-----w- c:\documents and settings\engineer\.sslexplorer
2012-03-25 23:35 . 2012-01-13 17:07 57000 ----a-r- c:\windows\system32\drivers\acsmux.sys
2012-03-25 23:35 . 2012-01-13 17:07 38440 ----a-r- c:\windows\system32\drivers\acsint.sys
2012-03-25 23:35 . 2012-03-25 23:35 -------- d-----w- c:\program files\Cisco
2012-03-20 18:49 . 2012-03-20 18:49 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-20 18:49 . 2012-03-20 18:49 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-18 14:30 . 2010-02-22 19:15 0 ----a-w- c:\documents and settings\expert\Local Settings\Application Data\WavXMapDrive.bat
2012-03-14 02:15 . 2010-08-04 13:40 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-10 02:50 . 2011-05-17 17:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-31 12:44 . 2010-08-02 21:37 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-20 18:49 . 2011-04-24 16:05 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-01 00:07 . 2012-03-27 17:40 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-18_14.30.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-25 16:16 . 2012-04-18 14:35 80180 c:\windows\system32\perfc009.dat
- 2008-04-25 16:16 . 2012-04-18 14:21 80180 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2012-04-18 14:35 467156 c:\windows\system32\perfh009.dat
- 2008-04-25 16:16 . 2012-04-18 14:21 467156 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-04-22 09:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-04-22 09:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-04-22 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-04-10 1810432]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-06-08 333120]
"drivermgr"="c:\documents and settings\engineer\Application Data\devicemgrpro.exe" [2012-04-18 192512]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2012-01-13 527312]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-01 124224]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NextMove PCI (2) Auto Initialization.lnk - c:\program files\Mint Machine Center\PCIWizard.exe [2007-8-3 50432]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfee EngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Documents and Settings\\engineer\\Application Data\\devicemgrpro.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [9/19/2009 11:19 AM 24064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/28/2012 2:02 AM 89624]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 12:56 AM 133968]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [10/13/2011 6:21 PM 249648]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/31/2011 8:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/27/2012 1:40 PM 148520]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [4/10/2009 7:08 AM 77824]
R2 T226_1D;T226 Device Driver(T226_1D.sys);c:\windows\system32\drivers\T226_1D.sys [10/14/2009 10:21 AM 31104]
R2 T237DRV;T237 Device Driver(T237DRV.sys);c:\windows\system32\drivers\T237DRV.sys [10/14/2009 10:21 AM 29312]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [9/19/2009 2:46 AM 2066968]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [6/1/2010 4:03 PM 1590216]
R2 VGUSBDRV;T227 Device Driver(VGUSBDRV.sys);c:\windows\system32\drivers\VGUSBDRV.sys [10/14/2009 10:21 AM 36736]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [1/13/2012 1:17 PM 476112]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [9/19/2009 11:19 AM 144480]
R3 EventServer;EventServer;c:\program files\Thermo\Avantage\Bin\EventServer.exe [8/6/2010 11:29 AM 135168]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [6/1/2010 4:03 PM 10688]
R3 Spectrometer;Spectrometer;c:\program files\Thermo\Avantage\Bin\Spectrometer.exe [8/6/2010 11:29 AM 598016]
R3 USBMotion;USBMotion.SYS - USB Motion Controller;c:\windows\system32\drivers\USBMotion.sys [10/14/2009 11:02 AM 19968]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [10/21/2011 4:23 PM 196176]
S2 Device Manager;Device Manager;c:\documents and settings\engineer\Application Data\devicemgrsvc.bat [3/24/2012 11:37 AM 115]
S2 T226_LDR;T226 Detector Firmware Loader (T226_LDR.sys);c:\windows\system32\drivers\T226_LDR.sys [10/14/2009 10:21 AM 10496]
S2 T227_LDR;K-Alpha Spectrometer Firmware Loader (T227_LDR.sys);c:\windows\system32\drivers\T227_LDR.sys [10/14/2009 10:21 AM 21888]
S2 T237_LDR;T237 Firmware Loader (T237_LDR.sys);c:\windows\system32\drivers\T237_LDR.sys [10/14/2009 10:21 AM 14720]
S3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [3/25/2012 7:35 PM 38440]
S3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [3/25/2012 7:35 PM 57000]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/27/2012 1:40 PM 87808]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S4 ACU;ACU;c:\docume~1\engineer\LOCALS~1\Temp\ACU.exe [8/2/2010 12:54 PM 523136]
S4 HGIPYIKNBOZCJV;HGIPYIKNBOZCJV;c:\docume~1\engineer\LOCALS~1\Temp\HGIPYIKNBO ZCJV.exe [8/2/2010 12:58 PM 543616]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
CTDevice_Srv
oracleorahome90agent
sonicwall_netextender
ZuneWlanCfgSvc
tosrfhid
QV2KUX
DumaNT
UMAXPCLS
tifsfilter
ALYac_PZSrv
Sk9920nt
dvd_2K
pdiddcci
SE2Cbus
apphostsvc
purendis
tifm
EAWDMFD
tomcatcws3
nvenetfd
bthidenum
incdrec
NETw5x32
bc_ip_f
RMCAST
McciCMService
navex15
Accelerometer
vcdsecs
wlluc48b
VRcore
NPPTNT
backupclientsvc
ni_nic
cmigameport
mcrdsvc
astcc
iolodmv
windrvNT
bthmodem
cpucoolserver
wacomvhid
Stltrk2k
IntuitUpdateService
passthru
hidbatt
nv
netdetect
rtl8185
harmony
vmsprog
pca
winpowermonitor
trioservice
buslogic
yukonwlh
RMSvc
lvtuner
pdlnemap
winss
vsapint
oracleorahomedatagatherer
nfmservice
{a7447300-8075-4b0d-83f1-3d75c8ebc623}
s125mdfl
cwafadmincontroller
hdaudaddservice
sqlagent$soshome22
qserver
ikhlayer
szkg
sifilter
vaiomediaplatform-musicserver-appserver
prfldsvc
A4S2600
GcKernel
pshost
elnkservice
knobserv
btdriver
ibmpmsvc
61883
videX32
tifmsony
spcsutilityservice
sermouse
dbmanagerscheduler
MA-620
smsmdd
snmptrapdservice
hwpsgt
KLOGNT
RDID1007
adsservice
RadProbe
ood2000
fcprintservice
ofcservice
tangoservice
psadd
AtiPcie
tgsrvc_smartagent
mcdbus
elbycdfl
qmofiltr
IntelC53
WD_FireWire_HID
aeaudio
mdc8021x
mcdetect.exe
downloadmanagerlite
kbstuff
NICSer_WPC300N
iam
ScFBPNT2
SNTIE
CTEAPSFX.DLL
bobo
susbser
nvata
ativraxx
w300bus
vzcdbsvc
winpppoverethernet
emAudio
tdrpman174
smtpd32
cdrbsdrv
RTSTOR
delldmi
EMSCR
cxlpt
ssscsisv
ssrtln
lmimaint
aslm75
SDdriver
SE26bus
clientservice
se45unic
retrolauncher
IBM_LLC2
amoagent
as32svc
p17xfilt
rvscc
s117nd5
SeaPort
fallback
crystalinputfileserver
CAM1210
icepack
sysenforce
NdisFilt
FireHook
SaiH040B
Xponaut_WBD
wg3n
npkcsvc
nchssvad
qkbfiltr
wmp54gv4svc
DN2AKNET
zebrmdfl
sysmgmthp
webupdate
lpx
adpu320
MaVctrl
G400DH
webdriveservice
compbatt
CnxTrUsb
USBDongle
msfwsvc
nicser_wmp11
SrvcEKIOMngr
ofcpfwsvc
HpqKbFiltr
mssql$soshome22
SRVLOC
sis162u
rootmodem
bh611
CTAudSvcService
tfsncofs
Invoker
bgsvcgen
regmon701
mmc_2K
se44obex
vmkbd2
ovmsmaccessmanager
DSI_SiUSBXp_3_1
advservice
CX23880
wlancfg
x10nets
ISAMSvc
asuskeyboardservice
avg7alrt
WacomVKHid
genmcmn
msloop
dcstor32
MaxtorFrontPanel1
imountsrv
JiaoCap
se59bus
eeyeevnt
remoterecord
ds1
AR5523
NsTrcNT
atitunep
msvsmon90
amusbprt
catchme
se2Dnd5
mcproxy
oracleorahome811cman
cpqfws2e
rdnaoflsvc
queuemgr
FET5X86V
acprfmgrsvc
BootScreen
SrvcTPIOMngr
megamonitorsrv
ppmoucls
dlcc_device
int15
ASFWHide
ehrecvr
WIBUKEY
CA561
pcdrndisuio
se2Cunic
cpqfcalm
yats32
nvax
fireport
npapimon
mi-raysat_3dsmax8
ACDaemon
tsmservice
retroexplauncher
dlaboiom
sisidex
Dfs
LEX_AS_NIC_SERVICE_YNOS
btwmodem
atmeltpm
transcode360
ss_mdfl
efs
websensedcagent
sprtsvc_dellsupportcenter
MTDVC2
aniwzcsdservice
axskbus
dlcf_device
s616unic
useraccess
sfhlp02
hsf_dpv
BsHelpCS
FETNDIS
SRTSP
avg7rsw
btaudio
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
napagent
hkmsvc
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-829228684-345874965-846607573-1010Core.job
- c:\documents and settings\engineer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-02 22:02]
.
2012-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-829228684-345874965-846607573-1010UA.job
- c:\documents and settings\engineer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-02 22:02]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-829228684-345874965-846607573-1011Core.job
- c:\documents and settings\expert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-31 23:52]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-829228684-345874965-846607573-1011UA.job
- c:\documents and settings\expert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-31 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: Interfaces\{29B16EC0-2500-4DFF-9B5A-E87BAEBAA2C3}: NameServer = 130.207.244.244,130.207.244.251
FF - ProfilePath - c:\documents and settings\expert\Application Data\Mozilla\Firefox\Profiles\p5x2vo2a.default\
FF - prefs.js: browser.startup.homepage - hxxp://grover.mirc.gatech.edu/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-18 21:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c4,3b,ae,93,fe,b2,b3,41,88,86,b4, \
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c4,3b,ae,93,fe,b2,b3,41,88,86,b4, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\VPNGina.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\wvauth.dll
.
Completion time: 2012-04-18 21:09:21
ComboFix-quarantined-files.txt 2012-04-19 01:09
ComboFix2.txt 2012-04-18 14:36
.
Pre-Run: 128,532,787,200 bytes free
Post-Run: 128,529,281,024 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - EEA89AE8FDB42F42058D0197F41D3AF9
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 96,979 posts.
 
Join Date: Aug 2003
19-Apr-2012, 01:21 PM #7
Open Notepad and copy and paste the text in the code box below into it:

Code:
Driver::
HGIPYIKNBOZCJV

NetSvcs::
CTDevice_Srv
oracleorahome90agent
sonicwall_netextender
ZuneWlanCfgSvc
tosrfhid
QV2KUX
DumaNT
UMAXPCLS
tifsfilter
ALYac_PZSrv
Sk9920nt
dvd_2K
pdiddcci
SE2Cbus
apphostsvc
purendis
tifm
EAWDMFD
tomcatcws3
nvenetfd
bthidenum
incdrec
NETw5x32
bc_ip_f
RMCAST
McciCMService
navex15
Accelerometer
vcdsecs
wlluc48b
VRcore
NPPTNT
backupclientsvc
ni_nic
cmigameport
mcrdsvc
astcc
iolodmv
windrvNT
bthmodem
cpucoolserver
wacomvhid
Stltrk2k
IntuitUpdateService
passthru
hidbatt
nv
netdetect
rtl8185
harmony
vmsprog
pca
winpowermonitor
trioservice
buslogic
yukonwlh
RMSvc
lvtuner
pdlnemap
winss
vsapint
oracleorahomedatagatherer
nfmservice
{a7447300-8075-4b0d-83f1-3d75c8ebc623}
s125mdfl
cwafadmincontroller
hdaudaddservice
sqlagent$soshome22
qserver
ikhlayer
szkg
sifilter
vaiomediaplatform-musicserver-appserver
prfldsvc
A4S2600
GcKernel
pshost
elnkservice
knobserv
btdriver
ibmpmsvc
61883
videX32
tifmsony
spcsutilityservice
sermouse
dbmanagerscheduler
MA-620
smsmdd
snmptrapdservice
hwpsgt
KLOGNT
RDID1007
adsservice
RadProbe
ood2000
fcprintservice
ofcservice
tangoservice
psadd
AtiPcie
tgsrvc_smartagent
mcdbus
elbycdfl
qmofiltr
IntelC53
WD_FireWire_HID
aeaudio
mdc8021x
mcdetect.exe
downloadmanagerlite
kbstuff
NICSer_WPC300N
iam
ScFBPNT2
SNTIE
CTEAPSFX.DLL
bobo
susbser
nvata
ativraxx
w300bus
vzcdbsvc
winpppoverethernet
emAudio
tdrpman174
smtpd32
cdrbsdrv
RTSTOR
delldmi
EMSCR
cxlpt
ssscsisv
ssrtln
lmimaint
aslm75
SDdriver
SE26bus
clientservice
se45unic
retrolauncher
IBM_LLC2
amoagent
as32svc
p17xfilt
rvscc
s117nd5
SeaPort
fallback
crystalinputfileserver
CAM1210
icepack
sysenforce
NdisFilt
FireHook
SaiH040B
Xponaut_WBD
wg3n
npkcsvc
nchssvad
qkbfiltr
wmp54gv4svc
DN2AKNET
zebrmdfl
sysmgmthp
webupdate
lpx
adpu320
MaVctrl
G400DH
webdriveservice
compbatt
CnxTrUsb
USBDongle
msfwsvc
nicser_wmp11
SrvcEKIOMngr
ofcpfwsvc
HpqKbFiltr
mssql$soshome22
SRVLOC
sis162u
rootmodem
bh611
CTAudSvcService
tfsncofs
Invoker
bgsvcgen
regmon701
mmc_2K
se44obex
vmkbd2
ovmsmaccessmanager
DSI_SiUSBXp_3_1
advservice
CX23880
wlancfg
x10nets
ISAMSvc
asuskeyboardservice
avg7alrt
WacomVKHid
genmcmn
msloop
dcstor32
MaxtorFrontPanel1
imountsrv
JiaoCap
se59bus
eeyeevnt
remoterecord
ds1
AR5523
NsTrcNT
atitunep
msvsmon90
amusbprt
catchme
se2Dnd5
mcproxy
oracleorahome811cman
cpqfws2e
rdnaoflsvc
queuemgr
FET5X86V
acprfmgrsvc
BootScreen
SrvcTPIOMngr
megamonitorsrv
ppmoucls
dlcc_device
int15
ASFWHide
ehrecvr
WIBUKEY
CA561
pcdrndisuio
se2Cunic
cpqfcalm
yats32
nvax
fireport
npapimon
mi-raysat_3dsmax8
ACDaemon
tsmservice
retroexplauncher
dlaboiom
sisidex
Dfs
LEX_AS_NIC_SERVICE_YNOS
btwmodem
atmeltpm
transcode360
ss_mdfl
efs
websensedcagent
sprtsvc_dellsupportcenter
MTDVC2
aniwzcsdservice
axskbus
dlcf_device
s616unic
useraccess
sfhlp02
hsf_dpv
BsHelpCS
FETNDIS
SRTSP
avg7rsw
btaudio

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"NecUsb3Sevic"=-
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
internet, ipsec, malware, registry key, reset registry key

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑