Hijacked - Not sure what though

[MichaelS]

So I was having a problem where I cannot connect to google.com, or bing.com for searches. And it trys to log me into a google.de when I log into google services. Malewarebytes doesn't show anything.

Very odd.

DDS (Ver_10-12-12.02) - NTFSx86

Run by mseymour at 9:56:30.87 on Sun 01/09/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2475 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: McAfee Host Intrusion Prevention Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

c:\drivers\audio\stacsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Oracle\ODrive\XfsSvcCon.exe

C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe

C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe

C:\Documents and Settings\mseymour\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\HP\HP Software Update\HPWUCli.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Avira\AntiVir Desktop\avcenter.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\mseymour\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\mseymour\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\mseymour\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\mseymour\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\mseymour\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\mseymour\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\mseymour\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.oracle.com

mDefault_Page_URL = hxxp://my.oracle.com/

mStart Page = hxxp://my.oracle.com/

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: ODriveAdvPropHelper Class: {5d33b3e0-4fb3-4ed1-9106-b6eb06a3b7c2} - c:\windows\system32\ODriveHelper.DLL

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\mseymour\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"

mRun: [TweakAutomaticUpdates] c:\windows\orclobi\gdswsuspatch_soon.exe /s

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"

mRun: [ntpgds] c:\windows\orclobi\synctime.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRunOnce: [FirefoxConfig] c:\windows\orclobi\config\openofficeconfig.exe

dRunOnce: [ThunderbirdConfig] c:\windows\orclobi\config\thunderbirdconfig.exe

dRunOnce: [LightningConfig] c:\windows\orclobi\config\lightningconfig.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico

mPolicies-system: hidefastuserswitching = 1 (0x1)

mPolicies-system: promptpasswordonresume = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: oracle.com\conference

Trusted Zone: oraclecorp.com\global-service

Trusted Zone: oraclecorp.com\global-service

Trusted Zone: siteadvisor.com\www

DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256749179093

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {7A376A89-3DA9-4B3F-B3D4-FBE98B545AB7} - hxxps://global-crm.oraclecorp.com/callcenter_enu/20436/applets/SiebelAx_HI_Client.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ouweb.webex.com/client/T27L10NSP11EP5/training/ieatgpc.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\mcafeemn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 qommli.dll

LSA: Notification Packages = scecli gdspwfilter

Hosts: 188.72.230.11 www.google.com

Hosts: 188.72.230.11 search.yahoo.com

Hosts: 188.72.230.11 www.bing.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mseymour\applic~1\mozilla\firefox\profiles\byup3rcb.default user\

FF - prefs.js: network.proxy.http - www-proxy.us.oracle.com

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.ssl - www-proxy.us.oracle.com

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 1

FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll

FF - plugin: c:\documents and settings\mseymour\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: McAfee SiteAdvisor Enterprise: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor Enterprise

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-28 64288]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-10-28 344304]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-8 11608]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

R1 TDFSD;TDFSD;c:\windows\system32\drivers\tdfsd.sys [2009-5-4 946144]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-8 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-8 267944]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-8 61960]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-2-6 443168]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2010-6-15 1498224]

R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2010-10-14 35696]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-8-6 222528]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-8-31 21256]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-8-31 146448]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-8-31 66896]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-28 69192]

R2 MyDesktopWindows;MyDesktopService;c:\windows\orclobi\mydesktop\MyDesktopService.exe [2010-8-24 1032704]

R2 OdService;ODrive Service;c:\program files\oracle\odrive\xfssvccon.exe svcmanager --> c:\program files\oracle\odrive\XfsSvcCon.exe svcmanager [?]

R2 PMEMNT;PMEMNT;c:\windows\pmemnt.sys [2010-3-2 7012]

R2 QOSMyDesktop;QOS MyDesktop;c:\windows\orclobi\mydesktop\MyDesktopQOS.exe [2009-10-13 470016]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-3-2 112512]

R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-3-2 33832]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-3-2 244368]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2009-10-28 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2009-10-28 107960]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2009-10-28 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2009-10-28 35552]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-2 110080]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-28 91672]

R3 owcmirrorV1;owcmirrorV1;c:\windows\system32\drivers\owcmirrorminiV1.sys [2010-7-28 3712]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2009-10-28 44680]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-28 43288]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-28 65448]

UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2011-01-08 19:04:02 -------- d-----w- c:\windows\system32\NtmsData

2011-01-08 19:03:21 -------- d-----w- c:\docume~1\mseymour\applic~1\Avira

2011-01-08 18:56:35 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-08 18:56:32 -------- d-----w- c:\program files\Avira

2011-01-08 18:56:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-01-08 00:14:17 40328 ----a-w- c:\windows\system32\HIPIS0e011b5.dll

2011-01-08 00:04:29 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{9cccac68-1420-4973-8e14-46e9ae38cb15}\mpengine.dll

2011-01-06 20:07:42 -------- d-----w- c:\program files\Lame For Audacity

2011-01-06 20:07:21 -------- d-----w- c:\program files\Audacity

==================== Find3M ====================

2010-11-04 07:42:20 136512 ----a-w- c:\windows\system32\KevlarSigs.dll

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-12 15:17:52 140288 ----a-w- c:\windows\system32\pcre3.dll

============= FINISH: 9:57:53.39 ===============

attach.zip

mbam_log_2011_01_09__13_58_11_.txt

[Kenny94]

Hi MichaelS

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[MichaelS]

Ran combo fix, asked me to install the recovery console which I did. Ran a scan and then I got a blue screen. The one that says reboot if its the first time you have seen this, if not do xyz. First time I have ever seen it (on this computer)

Not sure what to do. Will attempt to run combofix again

[MichaelS]

Here is the combo fix

ComboFix 11-01-04.01 - mseymour 01/09/2011 20:09:56.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2783 [GMT -7:00]

Running from: c:\documents and settings\mseymour\My Documents\Downloads\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: McAfee Host Intrusion Prevention Firewall *Disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\mseymour\Local Settings\Application Data\Adobe updater

c:\program files\INSTALL.LOG

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\kill.exe

c:\windows\system32\.log

c:\windows\system32\pcre3.dll

c:\windows\system32\spool\prtprocs\w32x86\xpdpp.dll

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_WINDUMP

((((((((((((((((((((((((( Files Created from 2010-12-10 to 2011-01-10 )))))))))))))))))))))))))))))))

.

2011-01-09 17:07 . 2010-11-10 03:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{781A484A-8D0B-4C52-B270-760563509480}\mpengine.dll

2011-01-08 19:04 . 2011-01-08 20:24 -------- d-----w- c:\windows\system32\NtmsData

2011-01-08 19:03 . 2011-01-08 19:03 -------- d-----w- c:\documents and settings\mseymour\Application Data\Avira

2011-01-08 18:56 . 2010-12-13 15:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-01-08 18:56 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-01-08 18:56 . 2010-12-13 15:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-08 18:56 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-01-08 18:56 . 2011-01-08 18:56 -------- d-----w- c:\program files\Avira

2011-01-08 18:56 . 2011-01-08 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-01-08 00:14 . 2010-06-15 17:57 40328 ----a-w- c:\windows\system32\HIPIS0e011b5.dll

2011-01-06 20:07 . 2011-01-06 20:07 -------- d-----w- c:\program files\Lame For Audacity

2011-01-06 20:07 . 2011-01-06 20:07 -------- d-----w- c:\program files\Audacity

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 01:09 . 2010-10-15 20:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 01:08 . 2010-10-15 20:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-10 03:33 . 2010-12-03 23:07 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-11-04 19:30 . 2010-10-28 19:13 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-11-04 07:42 . 2009-10-28 16:32 136512 ----a-w- c:\windows\system32\KevlarSigs.dll

2010-10-19 20:51 . 2010-12-02 23:03 222080 ------w- c:\windows\system32\MpSigStub.exe

2009-09-01 04:07 . 2009-10-28 16:24 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2010-01-19 02:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\mseymour\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-02 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-23 136512]

"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2010-06-15 979104]

"TweakAutomaticUpdates"="c:\windows\orclobi\gdswsuspatch_soon.exe" [2005-12-22 126887]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-16 729088]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-08 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-08 141848]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-10 667648]

"ntpgds"="c:\windows\orclobi\synctime.exe" [2003-04-07 110993]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-28 185632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FirefoxConfig"="c:\windows\orclobi\config\openofficeconfig.exe" [2009-10-20 397914]

"ThunderbirdConfig"="c:\windows\orclobi\config\thunderbirdconfig.exe" [2009-06-23 200630]

"LightningConfig"="c:\windows\orclobi\config\lightningconfig.exe" [2010-02-26 410328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2010-3-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"hidefastuserswitching"= 1 (0x1)

"promptpasswordonresume"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/28/2010 12:13 PM 64288]

R1 TDFSD;TDFSD;c:\windows\system32\drivers\tdfsd.sys [5/4/2009 4:54 PM 946144]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/8/2011 11:56 AM 135336]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 6:56 AM 133968]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 12:07 PM 320800]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/6/2009 9:06 PM 443168]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [6/15/2010 10:57 AM 1498224]

R2 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [10/14/2010 2:53 PM 35696]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 12:46 AM 1375992]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [8/6/2009 4:53 PM 222528]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [8/31/2009 9:07 PM 21256]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/28/2009 9:24 AM 69192]

R2 MyDesktopWindows;MyDesktopService;c:\windows\OrclOBI\MyDesktop\MyDesktopService.exe [8/24/2010 9:11 AM 1032704]

R2 OdService;ODrive Service;c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager --> c:\program files\Oracle\ODrive\XfsSvcCon.exe svcmanager [?]

R2 PMEMNT;PMEMNT;c:\windows\pmemnt.sys [3/2/2010 4:27 PM 7012]

R2 QOSMyDesktop;QOS MyDesktop;c:\windows\OrclOBI\MyDesktop\MyDesktopQOS.exe [10/13/2009 12:18 PM 470016]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [3/2/2010 4:09 PM 112512]

R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [3/2/2010 4:09 PM 33832]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [3/2/2010 4:09 PM 244368]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [10/28/2009 9:31 AM 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [10/28/2009 9:31 AM 107960]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [10/28/2009 9:31 AM 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [10/28/2009 9:31 AM 35552]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/2/2010 4:09 PM 110080]

R3 owcmirrorV1;owcmirrorV1;c:\windows\system32\drivers\owcmirrorminiV1.sys [7/28/2010 12:08 PM 3712]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [10/28/2009 9:31 AM 44680]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/28/2009 9:24 AM 65448]

UnknownUnknown dsload;dsload; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MFEBOPK01

*NewlyCreated* - MFEBOPK02

*Deregistered* - dsgrab_01cabbe6743a06b4

*Deregistered* - mfebopk01

*Deregistered* - mfebopk02

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2011-01-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 20:15]

2011-01-10 c:\windows\Tasks\At1.job

- c:\windows\orclobi\gdswsuspatch.exe [2009-10-28 04:50]

2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2774318410-3589908638-1860071781-1007Core.job

- c:\documents and settings\mseymour\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-02 23:13]

2011-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2774318410-3589908638-1860071781-1007UA.job

- c:\documents and settings\mseymour\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-02 23:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.oracle.com

mStart Page = hxxp://my.oracle.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: oracle.com\conference

Trusted Zone: oraclecorp.com\global-service

Trusted Zone: oraclecorp.com\global-service

Trusted Zone: siteadvisor.com\www

DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab

DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab

DPF: {7A376A89-3DA9-4B3F-B3D4-FBE98B545AB7} - hxxps://global-crm.oraclecorp.com/callcenter_enu/20436/applets/SiebelAx_HI_Client.cab

FF - ProfilePath - c:\documents and settings\mseymour\Application Data\Mozilla\Firefox\Profiles\byup3rcb.Default User\

FF - prefs.js: network.proxy.http - www-proxy.us.oracle.com

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.ssl - www-proxy.us.oracle.com

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: McAfee SiteAdvisor Enterprise: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor Enterprise

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-09 20:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\mseymour\LOCALS~1\Temp\GLC4.tmp 164864 bytes executable

c:\docume~1\mseymour\LOCALS~1\Temp\GLK5.tmp

scan completed successfully

hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lavasoft Kernexplorer]

"ImagePath"="\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1940)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

- - - - - - - > 'lsass.exe'(2000)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

- - - - - - - > 'explorer.exe'(2848)

c:\windows\system32\WININET.dll

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

c:\program files\TortoiseSVN\bin\TortoiseStub.dll

c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

c:\program files\TortoiseSVN\bin\intl3_tsvn.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Dell\Dell ControlPoint\System Manager\dadkeyb.dll

c:\windows\system32\hccutils.DLL

c:\windows\SYSTEM32\TDShell.DLL

c:\program files\Bonjour\mdnsNSP.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(1908)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\drivers\audio\stacsv.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Oracle\ODrive\XfsSvcCon.exe

c:\program files\McAfee\VirusScan Enterprise\mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\program files\TortoiseSVN\bin\TSVNCache.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\IDT\WDM\sttray.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\DellTPad\Apntex.exe

c:\documents and settings\mseymour\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2011-01-09 20:22:08 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-10 03:22

Pre-Run: 134,967,091,200 bytes free

Post-Run: 134,815,821,824 bytes free

- - End Of File - - 73F774FF5D062815ACF09B33E9042B26

[MichaelS]

In addition, it appears to have fixed the problem. I will continue to check here though until I get the all clear from you

[Kenny94]

We still have some work to do.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.
  

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Next

There are some older versions of Java on your computer. These can be a source of infection.

[

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  
• Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 23 -
  
• Click the Download button to the right.
  
• Select the Windows platform from the dropdown menu.
  
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u123 -windows-i586-p.exe to install the newest version.
  

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
    
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
      

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_23 from Sun Microsystems Inc.

-------------------------------------------------------------------

Next

Please run this online scan:

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
  

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • 
    
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
    

  [*]Click on My Computer under the green Scan bar to the left to start the scan.

  [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

  [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  [*]Click View report... at the bottom.

  [*] Click the Save report... button.

  

  [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[MichaelS]

Ok, did the first bit, and the java bit. But when I did kaspersky online scanner, I got an error

"Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]"

I was connected to the internet the entire time. I got this after I did the download. thanks, Michael

[MichaelS]

It also said the digital cert was expired when I tried to download it but i downloaded it anyway.

[Kenny94]

ESET Online Scanner should work. Lets give it a whirl:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:
  

• • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[MichaelS]

Ran, said it found nothing

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=3b238a099c9b224dbb3ecfd223aae40b

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-01-10 07:25:24

# local_time=2011-01-10 12:25:24 (-0700, Mountain Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775141 100 93 0 31105858 0 0

# compatibility_mode=5891 16776869 100 100 0 24185087 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=75356

# found=0

# cleaned=0

# scan_time=3015

[Kenny94]

Your Computer is Clean

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
  
  
• Please follow the prompts to uninstall Combofix.
  
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
  

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.
  

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial for Spywareblaster can be found here.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

[MichaelS]

Thanks Kenny, I appreciate your patience and advice. You truly are a jedi master at malware removal!

BTW - I use Chrome as my browser, you may want to add it to your list. I really like it better than firefox b.c each browser is its own process and thus its lightening fast.

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.