17 replies to this topic

[nr800]

Hello all,

Having read a similar post on this forum I am hoping you will be able to help me out as well.

My laptop got infected with the AntiVirus Pro 2010 "software" the other day. Searching around on how to remove I came across Malwarebytes. Loaded it up and ran it and it appeared to do the job, even removed the feedyard redirect problem. However, it said that 6 objects could not be reomved and would require a reboot, after the re-boot I get a message about not being abble to find calc.dll Running MB again results in the same 6 files still there. So I am back here in the hope you will be able to help me.

The MB log and HijackThis log are below.

Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 2

17/10/2009 18:42:11
mbam-log-2009-10-17 (18-42-03).txt

Scan type: Quick Scan
Objects scanned: 154990
Time elapsed: 1 hour(s), 27 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.dll (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.

******************************************************

Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 2

17/10/2009 18:42:11
mbam-log-2009-10-17 (18-42-03).txt

Scan type: Quick Scan
Objects scanned: 154990
Time elapsed: 1 hour(s), 27 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.dll (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\nr\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.

[nr800]

Sorry guys, I know you all must be very busy, but could someone take a look at my logs and offer a suggestion of what to do next please

[Blade81]

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop. Post them back to your topic.

[nr800]

Blade81, on Oct 26 2009, 09:07 AM, said:

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Thank you so much for replying, the logs are below:


DDS (Ver_09-10-26.01) - NTFSx86
Run by nr at 18:58:30.78 on 27/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.366 [GMT 0:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Outdated) {E3EA54D7-BEAD-4E68-88E4-C92C9399F260}

============== Running Processes ===============

svchost.exe
C:\Program Files\SafeNet ProtectDrive\ClientDM.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\MentorGraphics\2007.5EE\SDD_HOME\iCDB\win32\bin\iCDBNetLauncher.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SafeNet ProtectDrive\storageencryptionservice.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\Program Files\SafeNet ProtectDrive\pdtrayicon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ArcSoft\TotalMedia\TMMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\SafeNet ProtectDrive\pdencoder.exe
C:\TEMP\KP2CA1.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Roke IT
uSearch Bar = hxxp://www.google.co.uk
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [calc] rundll32.exe c:\docume~1\networ~1\ntuser.dll,_IWMPEvents@0
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\\FaxCtrl.exe
mRun: [SmartSync - ScheduleSync] c:\progra~1\mobile~1\smarts~1\SCHEDU~1.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [CCDoctorLogonTesting] "c:\program files\rational\clearcase\bin\ccdoctor.exe" /LogonStartup
mRun: [AS00_WN511B] c:\program files\netgear\wn511b\utility\WN511B.exe -hide
mRun: [CrypWarning] "c:\program files\safenet protectdrive\chkcryp.exe"
mRun: [pdtrayicon] "c:\program files\safenet protectdrive\pdtrayicon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia\TMMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: nationet.com\olb2
Trusted Zone: roke.co.uk\as-ankara.sapnet.ad
Trusted Zone: roke.co.uk\as-delhi.sapnet.ad
Trusted Zone: roke.co.uk\www
Trusted Zone: siemens.com
Trusted Zone: siemens.com\intranet
Trusted Zone: streamsend.com\app
Trusted Zone: roke.co.uk\as-ankara.sapnet.ad
Trusted Zone: roke.co.uk\as-delhi.sapnet.ad
Trusted Zone: roke.co.uk\www
Trusted Zone: siemens.com\intranet
Trusted Zone: streamsend.com\app
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://rmrlvpn.roke.co.uk/dana-cached/setup/NeoterisSetup.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204333648515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204333601531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: ccnotify - c:\program files\rational\bin\ccnotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nr\applic~1\mozilla\firefox\profiles\hq216n2j.default\
FF - prefs.js: browser.startup.homepage - hxxps://intranet1.roke.co.uk/portal/
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 e_dasdf$;e_dasdf$;c:\windows\system32\drivers\ted.sys [2007-8-13 248448]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-7-8 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-9-23 28544]
R0 pdac;ProtectDrive Access Control Filter Driver;c:\windows\system32\drivers\pdAC.sys [2007-8-13 14208]
R0 pded;ProtectDrive Encryption Filter Driver;c:\windows\system32\drivers\pded.sys [2007-8-13 140800]
R0 pdefs;pdefs;c:\windows\system32\drivers\pdefs.sys [2004-6-8 8064]
R0 SafeCgx;SafeCgx;c:\windows\system32\drivers\SafeCgx.sys [2006-9-25 480318]
R2 ClientDataManager;Client Data Manager;c:\program files\safenet protectdrive\ClientDM.exe [2007-8-13 352256]
R2 EESessionManager;Remote Server Configuration Manager;c:\mentorgraphics\2007.5ee\sdd_home\icdb\win32\bin\iCDBNetLauncher.exe [2009-9-10 1396736]
R2 StorageEncryptionService;Storage Encryption Service;c:\program files\safenet protectdrive\storageencryptionservice.exe [2007-8-13 397426]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-3-27 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-3-27 36368]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-7-8 16194]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2006-11-15 4864]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2005-5-9 507016]
S2 Albd;Atria Location Broker;c:\program files\rational\clearcase\bin\albd_server.exe [2005-5-17 176016]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [2008-10-12 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [2008-10-12 18944]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-31 652552]

=============== Created Last 30 ================

2009-10-27 18:58:29 0 d-----w- c:\temp\5EF.tmp
2009-10-20 19:30:06 296224 ----a-w- c:\temp\KP2CA1.EXE
2009-10-20 19:30:04 25088 --sha-w- c:\windows\system32\calc.dll
2009-10-20 19:30:04 0 d-----w- c:\temp\WPDNSE
2009-10-20 19:29:48 16384 ----atw- c:\temp\Perflib_Perfdata_7c4.dat
2009-10-15 18:12:06 25088 --sha-w- c:\documents and settings\nr\ntuser.dll
2009-10-13 18:53:16 0 d-----w- c:\docume~1\nr\applic~1\Malwarebytes
2009-10-13 18:52:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 18:52:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-13 18:52:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-13 18:52:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 11:49:23 0 d-----w- c:\temp\10111249000014449kk8cmksmn
2009-10-11 11:49:18 0 d-----w- c:\temp\1011124900001444kmtowdsp71
2009-10-11 11:49:07 0 d-----w- c:\temp\1011124900001444ycfm8wym4c
2009-10-11 11:48:42 0 d-----w- c:\temp\1011124800001444uxnkmb0gft
2009-10-11 11:48:35 0 d-----w- c:\temp\1011124800001444fq5hjagie5
2009-10-11 11:48:29 0 d-----w- c:\temp\101112480000144442fo73rkgj
2009-10-11 11:48:16 0 d-----w- c:\temp\1011124800001444h1memlfxya
2009-10-11 11:48:07 0 d-----w- c:\temp\1011124800001444p6h0u7ugku
2009-10-11 11:46:31 0 d-----w- c:\temp\1011124600001444vdpdqydx37
2009-10-11 11:45:47 0 d-----w- c:\temp\1011124500001444wgiq2df5nr
2009-10-11 11:45:13 0 d-----w- c:\temp\10111245000014441o9u4tewad
2009-10-11 11:41:19 100 ----a-w- c:\windows\WININIT.INI
2009-10-11 11:24:43 19594 ----a-w- c:\windows\kiqy._dl
2009-10-11 11:24:43 10367 ----a-w- c:\program files\common files\ujogewy.com
2009-10-11 11:24:42 19068 ----a-w- c:\windows\nyvocuk.dl
2009-10-11 11:24:42 19027 ----a-w- c:\windows\system32\abatepako.bat
2009-10-11 11:24:42 17675 ----a-w- c:\windows\xawaz.lib
2009-10-11 11:24:42 16400 ----a-w- c:\windows\xupunasim.db
2009-10-11 11:24:42 15943 ----a-w- c:\windows\opufede._dl
2009-10-10 22:48:53 16384 ----atw- c:\temp\Perflib_Perfdata_ac.dat
2009-10-06 20:10:43 0 d-----w- c:\temp\VBE
2009-10-06 19:40:34 0 d-----w- c:\temp\1006204000000e24ayz72ofxgw
2009-10-06 19:39:48 0 d-----w- c:\temp\1006203900000e24fdh860453c
2009-10-06 19:38:36 0 d-----w- c:\temp\1006203800000e24clhbc4ycwa
2009-10-06 19:38:22 0 d-----w- c:\temp\1006203800000e24jj3bfoqv79
2009-10-06 19:36:46 0 d-----w- c:\temp\1006203600000e24pgh8uurd7i
2009-10-06 19:36:28 0 d-----w- c:\program files\Microsoft
2009-10-06 19:36:22 0 d-----w- c:\temp\1006203600000e24cbvpcz20sg
2009-10-06 19:36:08 0 d-----w- c:\temp\1006203600000e246c6o20v70l
2009-10-03 15:59:13 0 d-----w- c:\temp\MessengerCache
2009-10-03 15:57:14 16384 ----atw- c:\temp\Perflib_Perfdata_764.dat
2009-09-30 11:52:38 3136 ----a-w- c:\temp\ExchangePerflog_8484fa3123887facbb50682b.dat

==================== Find3M ====================

2009-10-11 11:24:42 15761 ----a-w- c:\program files\common files\ajefepov.db
2009-10-03 18:07:22 77791 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2009-09-06 14:36:02 37 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences.dat
2009-09-06 14:18:56 45 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences2.dat
2003-06-19 11:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll

============= FINISH: 18:58:54.50 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 15/11/2006 17:34:54
System Uptime: 22/10/2009 20:22:11 (118 hours ago)

Motherboard: FUJITSU | | FJNB1AF
Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Onboard | 1662/167mhz
Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Onboard | 1662/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 29.242 GiB free.
E: is CDROM ()
M: is NetworkDisk (MVFS) - 1 GiB total, 0.488 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat 6.0 Standard
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11
Agere Systems HDA Modem
ArcSoft TotalMedia
AttachmentOptions
AutoIt v3.3.0.0
AWR Design Environment 2006 (7.03.3161.2)
CCleaner (remove only)
ErgChatter
FileZilla Client 3.2.2.1
FinePixViewer Resource
FinePixViewer Ver.5.1
FUJIFILM USB Driver
FWCV_4306_4320_VR002
Garmin Communicator Plugin
Garmin USB Drivers
GC-Prevue
GC-Prevue 17.1.2
GW2ODB Translator
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB954708)
ImageMixer VCD2 LE for FinePix
Intel® Graphics Media Accelerator Driver
InterVideo WinDVD
Java™ 6 Update 11
Juniper Networks Host Checker
Juniper Networks Network Connect 5.0.0
LogCard Utility
Malwarebytes' Anti-Malware
Mathcad 2000 Professional
Memory-Map OS Edition Version 5
Mentor Graphics Products
MGC Visual Studio 7 Runtime
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Standard 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual SourceSafe NetSetup
Mobile Modem Assistant
Mobile Phone Manager
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
O2Micro Flash Memory Card Windows Driver
O2Micro Smartcard Driver
OKI ADPCM Driver
PDFCreator
Pertmaster v7.81
PM3 Flash Update Utility
PM3 Venue Race Application
PMI
PMI (C:\Program Files\PMTextCtl\)
RangeMax™ NEXT Wireless Notebook Adapter WN511B
Ranger Outpost Remote Client
Rational ClearCase
RAW FILE CONVERTER LE
Realtek High Definition Audio Driver
RFClient
SafeNet ProtectDrive
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
SmartSync
SMS Advanced Client
SoftPlot Measurement Presentation V6.0
SoftPlot Measurement Presentation V7.0
Synaptics Pointing Device Driver
TortoiseSVN 1.6.3.16613 (32 bit)
Trend Micro OfficeScan Client
Unified Messaging for Microsoft Exchange
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB967715)
VNC Free Edition 4.1.3
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB883667
WinRAR archiver
WinZip

==== Event Viewer Messages From Past Week ========

20/10/2009 20:29:56, error: Service Control Manager [7000] - The DS1410D service failed to start due to the following error: The system cannot find the file specified.
20/10/2009 17:49:30, error: NETLOGON [5719] - No Domain Controller is available for domain COMM due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

[Blade81]

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
  Remember to re-enable them afterwards.
  
  
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[nr800]

Blade81, on Oct 27 2009, 08:19 PM, said:

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
  Remember to re-enable them afterwards.
  
  
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

THanks Blade81

Combofix log followed by new DDS log and zipped attach.txt

ComboFix 09-10-26.06 - nr 27/10/2009 21:25.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.344 [GMT 0:00]
Running from: c:\documents and settings\nr\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E3EA54D7-BEAD-4E68-88E4-C92C9399F260}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Documents\tazo.dll
c:\documents and settings\NetworkService\ntuser.dll
c:\documents and settings\nr\Application Data\iniasd.txt
c:\documents and settings\nr\Application Data\rarej.ban
c:\documents and settings\nr\Cookies\gicedyki.db
c:\documents and settings\nr\Local Settings\Application Data\ewuqymiqa.dll
c:\documents and settings\nr\Local Settings\Application Data\ziwo.sys
c:\documents and settings\nr\ntuser.dll
c:\documents and settings\nr\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\nr\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\Common Files\ujogewy.com
c:\windows\kiqy._dl
c:\windows\nyvocuk.dl
c:\windows\opufede._dl
c:\windows\system32\abatepako.bat
c:\windows\system32\calc.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\hf6xi0g.dll
c:\windows\system32\Process.exe
c:\windows\system32\prsgrc.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VCCLSID.exe

----- BITS: Possible infected sites -----

hxxp://wsus.comm.ad.roke.co.uk:8530
hxxp://US-MEDFORD:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SYSTEM


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-27 21:35 . 2009-10-27 21:35 -------- d-----w- c:\temp\WPDNSE
2009-10-27 21:35 . 2009-05-13 11:16 296224 ----a-w- c:\temp\DC2720.EXE
2009-10-27 21:34 . 2009-10-27 21:34 16384 ----atw- c:\temp\Perflib_Perfdata_780.dat
2009-10-13 18:53 . 2009-10-13 18:53 -------- d-----w- c:\documents and settings\nr\Application Data\Malwarebytes
2009-10-13 18:52 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 18:52 . 2009-10-13 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-13 18:52 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-13 18:52 . 2009-10-13 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 11:49 . 2009-10-27 21:30 -------- d-----w- c:\temp\10111249000014449kk8cmksmn
2009-10-11 11:49 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124900001444kmtowdsp71
2009-10-11 11:49 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124900001444ycfm8wym4c
2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444uxnkmb0gft
2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444fq5hjagie5
2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\101112480000144442fo73rkgj
2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444h1memlfxya
2009-10-11 11:48 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124800001444p6h0u7ugku
2009-10-11 11:46 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124600001444vdpdqydx37
2009-10-11 11:45 . 2009-10-27 21:30 -------- d-----w- c:\temp\1011124500001444wgiq2df5nr
2009-10-11 11:45 . 2009-10-27 21:30 -------- d-----w- c:\temp\10111245000014441o9u4tewad
2009-10-06 20:10 . 2009-10-27 21:30 -------- d-----w- c:\temp\VBE
2009-10-06 19:40 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006204000000e24ayz72ofxgw
2009-10-06 19:39 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203900000e24fdh860453c
2009-10-06 19:38 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203800000e24clhbc4ycwa
2009-10-06 19:38 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203800000e24jj3bfoqv79
2009-10-06 19:36 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203600000e24pgh8uurd7i
2009-10-06 19:36 . 2009-10-06 19:36 -------- d-----w- c:\program files\Microsoft
2009-10-06 19:36 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203600000e24cbvpcz20sg
2009-10-06 19:36 . 2009-10-27 21:30 -------- d-----w- c:\temp\1006203600000e246c6o20v70l
2009-10-03 15:59 . 2009-10-27 21:30 -------- d-----w- c:\temp\MessengerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-17 17:43 . 2006-11-15 16:04 -------- d-----w- c:\program files\Trend Micro
2009-10-11 12:00 . 2007-12-16 22:05 -------- d-----w- c:\program files\Windows Live
2009-10-11 11:43 . 2009-07-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-11 11:43 . 2007-07-16 19:15 -------- d-----w- c:\program files\Yahoo!
2009-10-11 11:41 . 2006-11-15 15:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-11 11:24 . 2009-10-11 11:24 15761 ----a-w- c:\program files\Common Files\ajefepov.db
2009-10-10 17:32 . 2009-03-17 17:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-02 10:09 . 2006-11-17 22:29 -------- d-----w- c:\documents and settings\nr\Application Data\AdobeUM
2009-09-10 13:11 . 2007-08-22 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\mgc
2009-09-10 13:09 . 2006-11-15 15:46 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-06 14:36 . 2009-08-30 22:16 37 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences.dat
2009-09-06 14:18 . 2009-09-05 11:46 45 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences2.dat
2009-09-04 23:15 . 2006-11-29 18:05 56696 ----a-w- c:\documents and settings\nr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-06-19 11:05 . 2003-06-19 11:05 431888 --s-a-w- c:\program files\Common Files\riched20.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-06-05 17:01 85712 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-05 761946]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-05-13 718120]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\\FaxCtrl.exe" [2004-05-20 110592]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"CCDoctorLogonTesting"="c:\program files\Rational\ClearCase\bin\ccdoctor.exe" [2003-09-26 126976]
"AS00_WN511B"="c:\program files\NETGEAR\WN511B\Utility\WN511B.exe" [2006-04-20 1413241]
"CrypWarning"="c:\program files\SafeNet ProtectDrive\chkcryp.exe" [2007-08-13 77824]
"pdtrayicon"="c:\program files\SafeNet ProtectDrive\pdtrayicon.exe" [2007-08-13 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-12-09 15691264]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-01-17 88365]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2006-11-26 282624]
TMMonitor.lnk - c:\program files\ArcSoft\TotalMedia\TMMonitor.exe [2008-10-12 147456]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-15 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Concept2\\Venue Race Application\\PM3VenueRace.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

R0 e_dasdf$;e_dasdf$;c:\windows\system32\drivers\ted.sys [13/08/2007 10:01 248448]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [08/07/2005 14:06 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [23/09/2005 07:48 28544]
R0 pdac;ProtectDrive Access Control Filter Driver;c:\windows\system32\drivers\pdAC.sys [13/08/2007 10:01 14208]
R0 pded;ProtectDrive Encryption Filter Driver;c:\windows\system32\drivers\pded.sys [13/08/2007 10:02 140800]
R0 pdefs;pdefs;c:\windows\system32\drivers\pdefs.sys [08/06/2004 19:08 8064]
R0 SafeCgx;SafeCgx;c:\windows\system32\drivers\SafeCgx.sys [25/09/2006 09:38 480318]
R2 EESessionManager;Remote Server Configuration Manager;c:\mentorgraphics\2007.5EE\SDD_HOME\iCDB\win32\bin\iCDBNetLauncher.exe [10/09/2009 12:44 1396736]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [27/03/2009 18:16 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [27/03/2009 18:16 36368]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [08/07/2007 18:50 16194]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [15/11/2006 15:45 4864]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [09/05/2005 12:39 507016]
S2 Albd;Atria Location Broker;c:\program files\Rational\ClearCase\bin\albd_server.exe [17/05/2005 21:13 176016]
S2 ClientDataManager;Client Data Manager;c:\program files\SafeNet ProtectDrive\ClientDM.exe [13/08/2007 10:10 352256]
S2 StorageEncryptionService;Storage Encryption Service;c:\program files\SafeNet ProtectDrive\storageencryptionservice.exe [13/08/2007 10:12 397426]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [12/10/2008 09:53 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [12/10/2008 09:53 18944]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [31/10/2008 14:46 652552]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: nationet.com\olb2
Trusted Zone: roke.co.uk\as-ankara.sapnet.ad
Trusted Zone: roke.co.uk\as-delhi.sapnet.ad
Trusted Zone: roke.co.uk\www
Trusted Zone: siemens.com
Trusted Zone: siemens.com\intranet
Trusted Zone: streamsend.com\app
Trusted Zone: roke.co.uk\as-ankara.sapnet.ad
Trusted Zone: roke.co.uk\as-delhi.sapnet.ad
Trusted Zone: roke.co.uk\www
Trusted Zone: siemens.com\intranet
Trusted Zone: streamsend.com\app
FF - ProfilePath - c:\documents and settings\nr\Application Data\Mozilla\Firefox\Profiles\hq216n2j.default\
FF - prefs.js: browser.startup.homepage - hxxps://intranet1.roke.co.uk/portal/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
Notify-ccnotify - c:\program files\Rational\bin\ccnotify.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 21:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SafeNet ProtectDrive\pcvgina.dll
c:\program files\SafeNet ProtectDrive\pdproduct.dll
c:\program files\SafeNet ProtectDrive\EACS.dll
c:\program files\SafeNet ProtectDrive\cgxapi.dll
c:\windows\system32\SafeCgx.dll
c:\program files\SafeNet ProtectDrive\poieventlog.dll
c:\program files\SafeNet ProtectDrive\EVER.dll
c:\program files\Rational\ClearCase\bin\ccasenp.dll
c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll
c:\program files\SafeNet ProtectDrive\localstoremanager.dll
c:\program files\SafeNet ProtectDrive\baseds.dll
c:\program files\SafeNet ProtectDrive\clientuserstore.dll
c:\program files\SafeNet ProtectDrive\userstore.dll
c:\program files\SafeNet ProtectDrive\userstoreloadersaver.dll
c:\program files\SafeNet ProtectDrive\serverstore.dll
c:\program files\SafeNet ProtectDrive\XercesLib.dll
c:\program files\SafeNet ProtectDrive\usermanagement.dll
c:\program files\SafeNet ProtectDrive\SsoHook.dll

- - - - - - - > 'lsass.exe'(740)
c:\program files\Rational\ClearCase\bin\ccasenp.dll
c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll

- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Rational\ClearCase\bin\ccasenp.dll
c:\program files\Rational\ClearCase\bin\LIBATRIANT.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Rational\ClearCase\bin\lockmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\o2flash.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\msiexec.exe
c:\combofix\CF29083.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\temp\DC2720.EXE
c:\program files\RightFax\FaxCtrl.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 21:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 21:40

Pre-Run: 31,309,975,552 bytes free
Post-Run: 31,320,522,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1F844E20DF2051F52582E6CB3DD9A3E2



DDS (Ver_09-10-26.01) - NTFSx86
Run by nr at 21:48:37.64 on 27/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.475 [GMT 0:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Outdated) {E3EA54D7-BEAD-4E68-88E4-C92C9399F260}

============== Running Processes ===============

svchost.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\MentorGraphics\2007.5EE\SDD_HOME\iCDB\win32\bin\iCDBNetLauncher.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\TEMP\DC2720.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ArcSoft\TotalMedia\TMMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [RightFAX Print-to-Fax Driver] c:\program files\rightfax\\FaxCtrl.exe
mRun: [SmartSync - ScheduleSync] c:\progra~1\mobile~1\smarts~1\SCHEDU~1.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [CCDoctorLogonTesting] "c:\program files\rational\clearcase\bin\ccdoctor.exe" /LogonStartup
mRun: [AS00_WN511B] c:\program files\netgear\wn511b\utility\WN511B.exe -hide
mRun: [CrypWarning] "c:\program files\safenet protectdrive\chkcryp.exe"
mRun: [pdtrayicon] "c:\program files\safenet protectdrive\pdtrayicon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia\TMMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: nationet.com\olb2
Trusted Zone: roke.co.uk\as-ankara.sapnet.ad
Trusted Zone: roke.co.uk\as-delhi.sapnet.ad
Trusted Zone: roke.co.uk\www
Trusted Zone: siemens.com
Trusted Zone: siemens.com\intranet
Trusted Zone: streamsend.com\app
Trusted Zone: roke.co.uk\as-ankara.sapnet.ad
Trusted Zone: roke.co.uk\as-delhi.sapnet.ad
Trusted Zone: roke.co.uk\www
Trusted Zone: siemens.com\intranet
Trusted Zone: streamsend.com\app
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://rmrlvpn.roke.co.uk/dana-cached/setup/NeoterisSetup.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204333648515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204333601531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nr\applic~1\mozilla\firefox\profiles\hq216n2j.default\
FF - prefs.js: browser.startup.homepage - hxxps://intranet1.roke.co.uk/portal/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 e_dasdf$;e_dasdf$;c:\windows\system32\drivers\ted.sys [2007-8-13 248448]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-7-8 34176]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-9-23 28544]
R0 pdac;ProtectDrive Access Control Filter Driver;c:\windows\system32\drivers\pdAC.sys [2007-8-13 14208]
R0 pded;ProtectDrive Encryption Filter Driver;c:\windows\system32\drivers\pded.sys [2007-8-13 140800]
R0 pdefs;pdefs;c:\windows\system32\drivers\pdefs.sys [2004-6-8 8064]
R0 SafeCgx;SafeCgx;c:\windows\system32\drivers\SafeCgx.sys [2006-9-25 480318]
R2 EESessionManager;Remote Server Configuration Manager;c:\mentorgraphics\2007.5ee\sdd_home\icdb\win32\bin\iCDBNetLauncher.exe [2009-9-10 1396736]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-3-27 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-3-27 36368]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-7-8 16194]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2006-11-15 4864]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2005-5-9 507016]
S2 Albd;Atria Location Broker;c:\program files\rational\clearcase\bin\albd_server.exe [2005-5-17 176016]
S2 ClientDataManager;Client Data Manager;c:\program files\safenet protectdrive\ClientDM.exe [2007-8-13 352256]
S2 StorageEncryptionService;Storage Encryption Service;c:\program files\safenet protectdrive\storageencryptionservice.exe [2007-8-13 397426]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [2008-10-12 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [2008-10-12 18944]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-10-31 652552]

=============== Created Last 30 ================

2009-10-27 21:48:37 0 d-----w- c:\temp\3.tmp
2009-10-27 21:40:27 0 d-----w- c:\temp\WPDNSE
2009-10-27 21:35:03 296224 ----a-w- c:\temp\DC2720.EXE
2009-10-27 21:34:19 16384 ----atw- c:\temp\Perflib_Perfdata_780.dat
2009-10-27 21:24:38 0 d-sha-r- C:\cmdcons
2009-10-27 21:21:51 98816 ----a-w- c:\windows\sed.exe
2009-10-27 21:21:51 77312 ----a-w- c:\windows\MBR.exe
2009-10-27 21:21:51 236544 ----a-w- c:\windows\PEV.exe
2009-10-27 21:21:51 161792 ----a-w- c:\windows\SWREG.exe
2009-10-13 18:53:16 0 d-----w- c:\docume~1\nr\applic~1\Malwarebytes
2009-10-13 18:52:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 18:52:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-13 18:52:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-13 18:52:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 11:49:23 0 d-----w- c:\temp\10111249000014449kk8cmksmn
2009-10-11 11:49:18 0 d-----w- c:\temp\1011124900001444kmtowdsp71
2009-10-11 11:49:07 0 d-----w- c:\temp\1011124900001444ycfm8wym4c
2009-10-11 11:48:42 0 d-----w- c:\temp\1011124800001444uxnkmb0gft
2009-10-11 11:48:35 0 d-----w- c:\temp\1011124800001444fq5hjagie5
2009-10-11 11:48:29 0 d-----w- c:\temp\101112480000144442fo73rkgj
2009-10-11 11:48:16 0 d-----w- c:\temp\1011124800001444h1memlfxya
2009-10-11 11:48:07 0 d-----w- c:\temp\1011124800001444p6h0u7ugku
2009-10-11 11:46:31 0 d-----w- c:\temp\1011124600001444vdpdqydx37
2009-10-11 11:45:47 0 d-----w- c:\temp\1011124500001444wgiq2df5nr
2009-10-11 11:45:13 0 d-----w- c:\temp\10111245000014441o9u4tewad
2009-10-11 11:41:19 100 ----a-w- c:\windows\WININIT.INI
2009-10-11 11:24:42 17675 ----a-w- c:\windows\xawaz.lib
2009-10-11 11:24:42 16400 ----a-w- c:\windows\xupunasim.db
2009-10-06 20:10:43 0 d-----w- c:\temp\VBE
2009-10-06 19:40:34 0 d-----w- c:\temp\1006204000000e24ayz72ofxgw
2009-10-06 19:39:48 0 d-----w- c:\temp\1006203900000e24fdh860453c
2009-10-06 19:38:36 0 d-----w- c:\temp\1006203800000e24clhbc4ycwa
2009-10-06 19:38:22 0 d-----w- c:\temp\1006203800000e24jj3bfoqv79
2009-10-06 19:36:46 0 d-----w- c:\temp\1006203600000e24pgh8uurd7i
2009-10-06 19:36:28 0 d-----w- c:\program files\Microsoft
2009-10-06 19:36:22 0 d-----w- c:\temp\1006203600000e24cbvpcz20sg
2009-10-06 19:36:08 0 d-----w- c:\temp\1006203600000e246c6o20v70l
2009-10-03 15:59:13 0 d-----w- c:\temp\MessengerCache

==================== Find3M ====================

2009-10-11 11:24:42 15761 ----a-w- c:\program files\common files\ajefepov.db
2009-10-03 18:07:22 77791 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2009-09-06 14:36:02 37 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences.dat
2009-09-06 14:18:56 45 ----a-w- c:\documents and settings\nr\jagex_runescape_preferences2.dat
2003-06-19 11:05:04 431888 --s-a-w- c:\program files\common files\riched20.dll

============= FINISH: 21:48:52.78 ===============

Attached Files

•  Attach.zip   3.63K   50 downloads

[Blade81]

Hi again,

Upload following file to http://www.virustotal.com and post back the results:
c:\windows\system32\drivers\ted.sys


Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\ajefepov.db
c:\temp\3.tmp
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Folder::
c:\temp\10111249000014449kk8cmksmn
c:\temp\1011124900001444kmtowdsp71
c:\temp\1011124900001444ycfm8wym4c
c:\temp\1011124800001444uxnkmb0gft
c:\temp\1011124800001444fq5hjagie5
c:\temp\101112480000144442fo73rkgj
c:\temp\1011124800001444h1memlfxya
c:\temp\1011124800001444p6h0u7ugku
c:\temp\1011124600001444vdpdqydx37
c:\temp\1011124500001444wgiq2df5nr
c:\temp\10111245000014441o9u4tewad
c:\temp\1006204000000e24ayz72ofxgw
c:\temp\1006203900000e24fdh860453c
c:\temp\1006203800000e24clhbc4ycwa
c:\temp\1006203800000e24jj3bfoqv79
c:\temp\1006203600000e24pgh8uurd7i
c:\temp\1006203600000e24cbvpcz20sg
c:\temp\1006203600000e246c6o20v70l

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 16.
  
• Click the
  Download
  button to the right.
  
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
  
• The page will refresh.
  
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Are you still using Adobe Acrobat actively?

[nr800]

Blade81, on Oct 28 2009, 06:40 AM, said:

Hi again,

Upload following file to http://www.virustotal.com and post back the results:
c:\windows\system32\drivers\ted.sys


Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\ajefepov.db
c:\temp\3.tmp
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Folder::
c:\temp\10111249000014449kk8cmksmn
c:\temp\1011124900001444kmtowdsp71
c:\temp\1011124900001444ycfm8wym4c
c:\temp\1011124800001444uxnkmb0gft
c:\temp\1011124800001444fq5hjagie5
c:\temp\101112480000144442fo73rkgj
c:\temp\1011124800001444h1memlfxya
c:\temp\1011124800001444p6h0u7ugku
c:\temp\1011124600001444vdpdqydx37
c:\temp\1011124500001444wgiq2df5nr
c:\temp\10111245000014441o9u4tewad
c:\temp\1006204000000e24ayz72ofxgw
c:\temp\1006203900000e24fdh860453c
c:\temp\1006203800000e24clhbc4ycwa
c:\temp\1006203800000e24jj3bfoqv79
c:\temp\1006203600000e24pgh8uurd7i
c:\temp\1006203600000e24cbvpcz20sg
c:\temp\1006203600000e246c6o20v70l

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 16.
  
• Click the
  Download
  button to the right.
  
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
  
• The page will refresh.
  
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Are you still using Adobe Acrobat actively?

Hi Blade81,

I think I have done everything as instructed.

I have attached all the log files you requested, hope thats ok.

Yes I do still use Adobe Acrobat.

Thanks

Nigel

Attached Files

•  ComboFix.txt   13.71K   49 downloads
•  KAS.txt   1.99K   20 downloads
•  Attach_20091029.txt   13.38K   10 downloads
•  DDS_20091029.txt   12.12K   64 downloads

[Blade81]

Hi,

Did you upload the file to Virustotal? What was the results?

[nr800]

Blade81, on Oct 30 2009, 07:08 AM, said:

Hi,

Did you upload the file to Virustotal? What was the results?

Sorry Blade, I missed that one off the upload, here it is.

NIgel

Attached Files

•  VirustotalResults.pdf   185.93K   28 downloads

[Blade81]

Hi again Nigel,

If you're using Adobe Acrobat only to print PDFs then I'd recommend to get a free and less vulnerable option. If you use it for more than that then you should upgrade to latter version since version 6 is badly outdated and open to different exploits making your system vulnerable.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

How's the system running now?

[nr800]

Blade81, on Oct 30 2009, 08:36 PM, said:

Hi again Nigel,

If you're using Adobe Acrobat only to print PDFs then I'd recommend to get a free and less vulnerable option. If you use it for more than that then you should upgrade to latter version since version 6 is badly outdated and open to different exploits making your system vulnerable.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

How's the system running now?

Hi there,

Adobe acrobat does get used for more than just straightforward pdf-ing - will have to sort out an update for it.

Have loaded the version of shockwave you pointed me to.

THe system is ruuning ok now, I am not getting any odd error messages and the installed virus checker doesnt find anything. Thank you so much for your help. Is there anything else I should do now, do I need to un-install/delete any programmes such as the Windows Recovery Console and if so how do I do this.

Cheers

Nigel

[Blade81]

Hi,

Recovery console may come handy if system becomes unbootable. I'd leave it installed and that's what ComboFix author also meant.

Is Trend Micro Antivirus license still valid? According to the logs definitions set hasn't been updated lately.

[Blade81]

Hi,

Have you resolved Trend Micro definition update related thing yet?

[nr800]

Blade81, on Nov 6 2009, 03:19 PM, said:

Hi,

Have you resolved Trend Micro definition update related thing yet?

Hi there, yes I have now managed to update the Trend Micro definitions and have run a scan. No infected files were found. Is there anything else I should now do?

Regards

Nigel

[Blade81]

Good. Then there's ComboFix uninstalling left (following instructions assume you still have ComboFix.exe on your desktop).

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK

[nr800]

Blade81, on Nov 10 2009, 06:48 AM, said:

Good. Then there's ComboFix uninstalling left (following instructions assume you still have ComboFix.exe on your desktop).

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK

Combo Fix now uninstalled, thank you very much for all your help

[Blade81]

You're welcome