TechSpot

Help request: appear to have cycbot.b on Vista machine (8 steps)

By GMac
Nov 4, 2010
  1. Hi all - new to the site after a recommendation from a friend.

    I've been fighting a malware instance which appears to called cycbot.b (from MS Live OneCare scan). My a/v software McAfee does not detect anything, but Malwarebytes does.

    After cleaning both automatically with MBAM and manually, files reappear.

    From another site, the following files are related although not detected by MBAM:
    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Shell.exe
    C:\Users\Administrator\AppData\Local\Temp\dwm.exe ****
    C:\Users\Administrator\AppData\Roaming\Microsoft\stor.cfg

    **** This one, when removed, raises an error upon restart as a registry entry attempts to call it. The registry entry is not cleaned by MBAM and is a pretty deeply buried HKLM\Software\Windows\CurrentVersion\...\x86****** entry. I am a little nervous about deleting it without knowing more.

    1st symptom I noticed was Google redirects in both IE8 and Firefox. Disabling an unknown addon "Research" seems to have corrected that but infection remains.

    I'll be grateful for any help the forum can provide!

    Logs posted from 8 steps:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18975

    11/4/2010 9:09:49 AM
    mbam-log-2010-11-04 (09-09-49).txt

    Scan type: Quick scan
    Objects scanned: 126228
    Time elapsed: 5 minute(s), 14 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    C:\Users\Administrator\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\Administrator\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

    ---------------------------------------------------------------------------------------------------------------------------------

    GMER 1.0.15.15507 - http://www.gmer.net
    Rootkit scan 2010-11-04 10:00:53
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9160412ASG 0004SDM1
    Running: GMER.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pgdiakoc.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA01AD83B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA01AD865]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA01AD84F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA01AD827]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwTerminateProcess 8222DDA3 5 Bytes JMP A01AD82B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82256F3D 7 Bytes JMP A01AD853 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 8227EE5B 5 Bytes JMP A01AD83F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 822CE8BF 5 Bytes JMP A01AD869 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ? System32\drivers\nkshkav.sys The system cannot find the path specified. !

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [614A9C27] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [614A9CF2] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [614A9C27] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3140] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [614A9D87] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73BA7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73BFA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73BABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B9F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73BA75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B9E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73BD8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73BADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B9FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B9FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73C2CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73BCC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B9D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B96853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B9687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3568] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73BA2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Linkage@Export ????????????????????????????????????? ?????????????????????#????????????????????? ?????????????????????#????????????????????????????????????????????????????????????*6to4mp?????????????? ?????????????????????#????????????????????? ?????????????????????#????????????????????????????????????????????????????????????????????? ?????????????????????#????????????&???????????????????????????????????? ?????????????????????#????????????????????? ?????????????????????#????????z???????????????????????????? ??? ????z??????6???b??nettun.inf:Microsoft.NTx86:6to4mp.ndi:6.0.6002.18005:*6to4mp?b???????b???????????b???e??tunnel???b??? .??????b???????b??Microsoft 6to4 Adapter???b???????????????????????????????????????b??? ?????????????????????#?????????????????????????????????????????????????????????b???t???t??? ?????????????????????#????????.???????????Microsoft 6to4 Adapter??????@nettun.inf,%6to4mp.displayname%;Microsoft 6to4 Adapter????????????????????????????????????????s????? ??????????????????????????????`??????????????????
    Reg HKLM\SYSTEM\ControlSet002\Services\LanmanServer\Linkage@Export ????????NDISWANIPo??86.44????????????????????????????????????????????????????????????>?????????????????n??????<???????????h??????????????????????e??????????????? ??????????????????????mf??Base?ography????? ???????0?????vic??????????????????????CloseEmdPerf????????????????????????????????????????PTUMWCDF?B??? ??????????????B???.NT????????????????????C???????????????????n????????????????????????%SystemRoot%\system32\srvsvc.dll????????????????????????????????5.79????????????????????????????????????????????????????????????????1.43?????????????????????????????????????????????????????????????????????????:???????????>???????????:?????????????>?>??Thu, Nov 04 10, 08:57:30 AM??????????????????????????????????????>??????????????????????????FAT12/16/32 File System Driver??????Collects information about files in memory to be consumed by other system services.?????File System Filter Manager Driver?????R????????????e??????0??????h???????e??????????????p????????????F???$??????????????????????????????????t???BitLocker Drive

    ---- EOF - GMER 1.0.15 ----
    ---------------------------------------------------------------------------------------------------------------------------------
    DDS (Ver_10-11-03.01) - NTFSx86
    Run by Administrator at 10:01:25.90 on Thu 11/04/2010
    Internet Explorer: 8.0.6001.18975
    Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.3571.2285 [GMT -4:00]

    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_2311653e\STacSV.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_2311653e\aestsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\CCM\CcmExec.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\shell.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
    C:\Users\Administrator\AppData\Local\Temp\dwm.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\SAP\SapSetup\setup\Updater\NwSapSetupUserNotificationTool.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Administrator\Utilities\dds.scr
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = https://train.ps.net/
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    uInternet Settings,ProxyOverride = *.local
    uWinlogon: Shell=explorer.exe,c:\users\administrator\appdata\roaming\microsoft\windows\shell.exe
    uWindows: Load=c:\users\admini~1\appdata\local\temp\dwm.exe
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: jZip Webmail plugin: {647fd14a-c4f1-46f4-8fc3-0b40f54226f7} - c:\program files\jzip\WebmailPlugin.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SAP_WUS_UNT] "c:\program files\sap\sapsetup\setup\updater\NwSapSetupUserNotificationTool.exe"
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: HideFastUserSwitching = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Trusted Zone: perotsystems.com
    Trusted Zone: perotsystems.net
    Trusted Zone: ps.net
    DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: ebahn - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
    Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
    Handler: x-asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: x-cnote - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: x-ebahn - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: x-hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - c:\program files\ebahn\eztoolslib2.dll
    Handler: x-zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Handler: zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\program files\ebahn\hsppp.dll
    Notify: igfxcui - igfxdev.dll
    LSA: Notification Packages = scecli CPNP

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\a7cr83f2.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 50370
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
    FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-1-24 144704]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_2311653e\AEstSrv.exe [2008-11-19 77824]
    R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-1-29 47504]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-17 103744]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-1-24 54608]
    R2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;c:\program files\sap\sapsetup\setup\updater\NwSapAutoWorkstationUpdateService.exe [2010-2-25 251248]
    R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-1-29 121136]
    R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-1-29 673872]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-11-19 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-11-19 225408]
    R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2008-1-29 2235760]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-17 72936]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-17 33960]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-17 171400]
    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-19 3664384]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 d553bus;Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver (WDM);c:\windows\system32\drivers\d553bus.sys [2008-11-20 300672]
    S3 d553card;Dell Wireless 5530 HSPA Mobile Broadband Minicard i7;c:\windows\system32\drivers\d553card.sys [2008-11-20 378368]
    S3 d553gps;Dell Wireless 5530 HSPA Mobile Broadband Minicard GPS Port;c:\windows\system32\drivers\d553gps.sys [2008-11-20 76328]
    S3 d553mdfl;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Filter;c:\windows\system32\drivers\d553mdfl.sys [2008-11-20 14976]
    S3 d553mdfl2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Filter;c:\windows\system32\drivers\d553mdfl2.sys [2008-11-20 14976]
    S3 d553mdm;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Driver;c:\windows\system32\drivers\d553mdm.sys [2008-11-20 387200]
    S3 d553mdm2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Driver;c:\windows\system32\drivers\d553mdm2.sys [2008-11-20 431616]
    S3 d553nd5;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (NDIS);c:\windows\system32\drivers\d553nd5.sys [2008-11-20 25984]
    S3 d553unic;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (WDM);c:\windows\system32\drivers\d553unic.sys [2008-11-20 402944]
    S3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\system32\drivers\dc21x4vm.sys [2006-11-2 52224]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-19 112128]
    S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [2010-5-20 54544]
    S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [2010-5-20 22032]
    S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [2010-5-20 160400]
    S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [2010-5-20 12048]
    S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [2010-5-20 160400]
    S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [2010-5-20 115216]
    S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [2010-5-20 160400]
    S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [2010-5-20 160400]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
    S3 Sony_EricssonWWSC;Dell Wireless 5530 HSPA Mobile Broadband Minicard PC SC Port;c:\windows\system32\drivers\d553scard.sys [2008-11-20 25640]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]

    =============== Created Last 30 ================

    2010-11-04 12:36:47 -------- d-----w- c:\users\administrator\Utilities
    2010-11-04 01:59:43 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{95471887-738d-46f6-b262-6989e8922d0e}\mpengine.dll
    2010-11-03 19:35:13 -------- d-----w- c:\users\administrator\DoctorWeb
    2010-11-03 15:09:38 120320 ----a-w- c:\users\admini~1\appdata\roaming\microsoft\windows\shell.exe
    2010-11-03 01:57:57 -------- d-----w- C:\Quarantine
    2010-11-03 01:53:59 -------- d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
    2010-11-03 01:53:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-03 01:53:55 -------- d-----w- c:\progra~2\Malwarebytes
    2010-11-03 01:53:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-03 01:53:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-03 01:37:32 -------- d-----w- c:\program files\Trend Micro
    2010-11-01 19:03:24 -------- d-----w- c:\program files\Research In Motion Limited
    2010-10-27 09:17:47 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 09:17:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 09:17:43 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-14 14:20:52 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
    2010-10-14 14:20:51 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-10-14 14:20:14 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-10-14 14:20:14 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-10-14 14:20:14 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-10-14 14:20:13 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-10-14 14:20:11 17920 ----a-w- c:\windows\system32\netevent.dll

    ==================== Find3M ====================

    2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
    2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-10 15:53:15 274944 ----a-w- c:\windows\system32\schannel.dll
    2008-10-08 18:18:36 626688 ----a-w- c:\program files\common files\sapconsaccess.dll
    2008-10-08 18:18:36 40960 ----a-w- c:\program files\common files\DigitalSignature.ocx
    2008-10-08 18:18:36 3125248 ----a-w- c:\program files\common files\sapxlhelper.dll
    2008-10-08 18:18:36 192512 ----a-w- c:\program files\common files\sapconsr3.dll

    ============= FINISH: 10:01:39.41 ===============
    ---------------------------------------------------------------------------------------------------------------------------------
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-03.01)

    Microsoft® Windows Vista™ Enterprise
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/22/2010 12:47:37 PM
    System Uptime: 11/4/2010 9:10:53 AM (1 hours ago)

    Motherboard: Dell Inc. | | 0X564R
    Processor: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz | Microprocessor | 2535/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 149 GiB total, 81.226 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: Photosmart C7200 series
    Device ID: ROOT\IMAGE\0000
    Manufacturer: HP
    Name: Photosmart C7200 series
    PNP Device ID: ROOT\IMAGE\0000
    Service: StillCam

    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart C7200 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Photosmart C7200 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.0
    AIO_Scan
    Amazon Kindle For PC v1.1
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    BlackBerry App World Browser Plugin
    BlackBerry Desktop Software 6.0
    BlackBerry Device Software Updater
    BMC Remedy User 7.0
    Bonjour
    BufferChm
    C7200
    C7200_Help
    Cards_Calendar_OrderGift_DoMorePlugout
    Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2
    Cisco Systems VPN Client 5.0.05.0290
    Configuration Manager Client
    Copy
    Crystal11_Redistributables
    CutePDF Writer 2.8
    Dell Touchpad
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DHTML Editing Component
    DocProc
    DocProcQFolder
    eBahn® Reader
    eSupportQFolder
    Fax
    GPBaseService
    GPBaseService2
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Imaging Device Functions 10.0
    HP Photosmart All-In-One Driver Software 10.0 Rel .2
    HP Photosmart Essential 3.5
    HP Smart Web Printing 4.60
    HP Solution Center 13.0
    HP Update
    HPPhotoSmartDiscLabel_PaperLabel
    HPPhotoSmartDiscLabel_PrintOnDisc
    HPPhotoSmartDiscLabelContent1
    hpphotosmartdisclabelplugin
    HPPhotosmartEssential
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    HPSSupply
    iTunes
    Java(TM) 6 Update 10
    jZip
    Lizardtech DjVu Control
    Malwarebytes' Anti-Malware
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Meeting 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Project Professional 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visio Professional 2003
    Microsoft Office Word MUI (English) 2007
    Microsoft redistributable runtime DLLs VS2005 SP1(x86)
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft XML Parser
    Mozilla Firefox (3.6.12)
    MSVCSetup
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML4.0 redistributable
    Napster Download Manager
    NetDeviceManager
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    OCR Software by I.R.I.S. 10.0
    OGA Notifier 2.0.0048.0
    PanoStandAlone
    PANTECH USB Modem V2
    PowerDVD
    PS_AIO_02_ProductContext
    PS_AIO_02_Software
    PS_AIO_02_Software_Min
    PSSWCORE
    QuickTime
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    SAP Business Explorer
    SAP GUI 7.10
    SAPSetup Automatic Workstation Update Service
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Shop for HP Supplies
    SmartWebPrinting
    SolutionCenter
    Sonic CinePlayer Decoder Pack
    Status
    Toolbox
    TrayApp
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb2410711)
    VideoToolkit01
    VZAccess Manager
    WebEx
    WebReg
    WIMGAPI
    Windows Live OneCare safety scanner
    Yahoo! Messenger

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. I'll will advise you of the malware infection.

    Can you tell me what you mean in the section with the 3 files you describe as:
    Are you currently getting help for this problem on another site also? If not, the problem is that your searches are getting redirected to site you did not request- is that correct?

    One other question: Are you actively using the EZTools Protocols now?
    =====================================================
    What is a Backdoor.bot?
    And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
    1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
    2. Data theft (e.g. retrieving passwords or credit card information)
    3. Installation of software, including third-party malware
    4. Downloading or uploading of files on the user's computer
    5. Modification or deletion of files
    6. Keystroke logging
    7. Watching the user's screen
    8. Wasting the computer's storage space
    9. Crashing the computer

    Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?
     
  3. GMac

    GMac TS Rookie Topic Starter

    Hi Bobbye,

    Thanks for your response. The info from other sites is my own research trying to manually remove this thing myself; I consider myself somewhat savvy and have been able to clean up similar messes in the past but this one has been very persistent.

    The first symptom that I noticed of a problem was a redirect out of Google using either IE8 or Firefox. I seem to have corrected IE8 by disabling a particular add-on that I did not recognize and which had very little info other than a name.

    I also discovered a proxy in Firefox (local host, I think...127.0.0.1, but using port 50370). Prior to my "fix" (which was setting it back to no proxy), Firefox would not connect to the internet AFTER the apparent success I've had (see below). Up to that point FF seemed to work just fine, which I assume means my browsing was going through some rogue proxy.

    I am not using any other tools like EXTools Protocols to my knowledge.

    This is a corporate laptop, and while I could have it re-imaged, I'd prefer not to if I can avoid it with a reasonable expectation of killing this thing.

    I can also provide an update...I stated originally that MalwareBytes would remove the 3 threats that it identified, but they reappeared later either after a restart or after a short period of time even without a restart.

    Prior to the "8 steps", I manually deleted files that I identified using information I could find scattered around the web (searching on another, clean, machine).

    After all of that the files would reappear and MBAM would identify the problem again.

    Now after running the "8 steps", I have run MBAM after each time I've restarted the machine (I'm traveling today so that's been 3/4 times in airports and on planes, etc.) and so far...no reinfection.

    I AM still getting the windows message about not being able to find the file dwm.exe upon startup. I believe that's a good thing, and I have identified the registry entry (or at least one of them) calling for it. That's the kind of deep-rooted one I mentioned originally. I can deal with the error until I'm sure that I'm clean, then I'll kill the reg entry.

    The other resource that identified the problem was the MS website's Live OneCare, but I have not run that scan again as it is long-running and runs from their servers so I haven't had the time to do it.

    So, that's a long-winded way of saying that some of the tools that I was not using before in the 8 steps may have helped clear the problem up, or this thing is smart enough to hide when it feels threatened (surely not!).

    Before I waste anyone's time that doesn't just know about this particular thing from experience, I'll run the MS scanner again tonight and see if it finds anything.

    If you have a different recommendation though, I'll certainly consider it!

    thx - GMac
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for that information. It does bring up 2 issues though:
    I understand you travel. But do you have an IT person for the company? If the Backdoor.bot is in the company server, then all the other machines could be at risk.

    About EXTools Protocols:
    This "Handler" is seen to run as svchost.exe with a very high resource use. It would display as 018 entry in a HijackThis log
    ============================================
    About a Memory Resident:
    Memory Processes Infected:
    C:\Users\Administrator\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.
    Memory-resident programs are those that can be placed in, and remain in, an affected system's main memory space after execution. Memory residency enables a piece of malware to be readily available whenever needed, ensuring that the malware is easily accessible or can monitor every event on an affected system. This is a malware's way of controlling every activity on an affected system when a condition is satisfied.

    First, the malware has to be executed. Once done, to assure it is executed in every system startup, it can put links to itself where the system initializes or pre-configures the OS. These are places or configuration files where it is accessed by an Operating System upon startup. By modifying or adding to Registry entries for processes such as the autoexec.bat or config.sys, processes always used in basic startup schemes.

    In this case, the backdoor.bot is running as svchost.exe> the problem being that this is a process you will find multiple times in the Task Manager as normal behavior. While the process was unloaded here, when you reboot, it will be back, so finding the offensive entry and removing it becomes more difficult
    Source: Symantec
    ============================================
    Okay, schools out- but the information is applicable to the malware you have and why it 'comes back'! Let see how much of this we can find and remove:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ===================================
    Then Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  5. GMac

    GMac TS Rookie Topic Starter

    Thanks a ton - I'll dig into it a bit more later this weekend.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Post the logs when through. Threads are closed after 5 days if there has been no reply.
     
  7. GMac

    GMac TS Rookie Topic Starter

    OK - here are the logs from those two processes. I'll create a second post for ESET, ComboFix is a pretty large file.

    ComboFix log:

    ComboFix 10-11-07.A2 - Administrator 11/09/2010 8:17.1.2 - x86
    Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.3571.2484 [GMT -5:00]
    Running from: c:\users\Administrator\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\install.exe
    c:\users\Administrator\AppData\Roaming\Microsoft\stor.cfg

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
    .

    2010-11-09 06:38 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DCD1C889-3B0A-493F-8D04-E9EEB2B2CCDA}\mpengine.dll
    2010-11-08 20:49 . 2010-11-08 20:49 -------- d-----w- c:\users\Administrator\AppData\Roaming\HPAppData
    2010-11-04 12:36 . 2010-11-04 12:37 -------- d-----w- c:\users\Administrator\Utilities
    2010-11-03 19:35 . 2010-11-03 19:35 -------- d-----w- c:\users\Administrator\DoctorWeb
    2010-11-03 19:34 . 2010-11-03 19:34 -------- d-----w- c:\users\Administrator\AppData\Roaming\U3
    2010-11-03 14:05 . 2010-11-06 15:34 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-11-03 01:57 . 2010-11-03 21:05 -------- d-----w- C:\Quarantine
    2010-11-03 01:53 . 2010-11-03 01:53 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
    2010-11-03 01:53 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-03 01:53 . 2010-11-03 01:53 -------- d-----w- c:\programdata\Malwarebytes
    2010-11-03 01:53 . 2010-11-03 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-03 01:53 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-03 01:37 . 2010-11-03 01:37 -------- d-----w- c:\program files\Trend Micro
    2010-11-01 19:03 . 2010-11-01 19:03 -------- d-----w- c:\program files\Research In Motion Limited
    2010-10-27 09:17 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 09:17 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 09:17 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-14 14:20 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2010-10-14 14:20 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-10-14 14:20 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-10-14 14:20 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-10-14 14:20 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-10-14 14:20 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-10-14 14:20 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-10-14 14:06 . 2010-10-14 14:07 -------- d-----w- c:\program files\Common Files\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 15:41 . 2010-02-22 19:05 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-08-26 16:33 . 2010-10-27 09:17 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33 . 2010-10-27 09:17 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:33 . 2010-10-27 09:17 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33 . 2010-10-27 09:17 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-17 14:11 . 2010-09-15 20:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2008-10-08 18:18 . 2010-02-25 15:11 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
    2008-10-08 18:18 . 2010-02-25 15:11 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
    2008-10-08 18:18 . 2010-02-25 15:11 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
    2008-10-08 18:18 . 2010-02-25 15:11 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-04-30 196608]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-08 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-08 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-08 145944]
    "SAP_WUS_UNT"="c:\program files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe" [2008-10-29 218472]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-02 442467]
    "nwiz"="nwiz.exe" [2009-06-11 1657376]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "HideFastUserSwitching"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli CPNP

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 d553bus;Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver (WDM);c:\windows\system32\DRIVERS\d553bus.sys [2008-08-20 300672]
    R3 d553card;Dell Wireless 5530 HSPA Mobile Broadband Minicard i7;c:\windows\system32\DRIVERS\d553card.sys [2008-08-20 378368]
    R3 d553gps;Dell Wireless 5530 HSPA Mobile Broadband Minicard GPS Port;c:\windows\system32\DRIVERS\d553gps.sys [2008-08-09 76328]
    R3 d553mdfl;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Filter;c:\windows\system32\DRIVERS\d553mdfl.sys [2008-08-20 14976]
    R3 d553mdfl2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Filter;c:\windows\system32\DRIVERS\d553mdfl2.sys [2008-08-20 14976]
    R3 d553mdm;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Driver;c:\windows\system32\DRIVERS\d553mdm.sys [2008-08-20 387200]
    R3 d553mdm2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Driver;c:\windows\system32\DRIVERS\d553mdm2.sys [2008-08-20 431616]
    R3 d553nd5;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (NDIS);c:\windows\system32\DRIVERS\d553nd5.sys [2008-08-20 25984]
    R3 d553unic;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (WDM);c:\windows\system32\DRIVERS\d553unic.sys [2008-08-20 402944]
    R3 dc21x4vm;dc21x4VM Based Network Adapter Driver;c:\windows\system32\DRIVERS\dc21x4vm.sys [2006-11-02 52224]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-30 112128]
    R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [2009-10-27 54544]
    R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [2009-10-27 22032]
    R3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys [2009-10-27 160400]
    R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [2009-10-27 12048]
    R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [2009-10-27 160400]
    R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [2009-10-27 115216]
    R3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys [2009-10-27 160400]
    R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [2009-10-27 160400]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
    R3 Sony_EricssonWWSC;Dell Wireless 5530 HSPA Mobile Broadband Minicard PC SC Port;c:\windows\system32\DRIVERS\d553scard.sys [2008-08-19 25640]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_2311653e\aestsrv.exe [2008-06-27 77824]
    S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-01-29 47504]
    S2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;c:\program files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe [2008-10-29 251248]
    S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
    S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2008-01-29 673872]
    S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\Drivers\cvusbdrv.sys [2008-08-01 32808]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-07-16 225408]
    S3 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2008-01-29 2235760]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://train.ps.net/
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: perotsystems.com
    Trusted Zone: perotsystems.net
    Trusted Zone: ps.net
    FF - ProfilePath -
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-09 08:26
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,be,27,d4,a8,45,bb,4a,b2,f7,c0,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,be,27,d4,a8,45,bb,4a,b2,f7,c0,\

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.avi"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.CDA"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M3U"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MP3"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAV"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAX"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMA"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMD"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMS"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMV"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMZ"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WPL"

    [HKEY_USERS\S-1-5-21-2976721523-655745078-1608717518-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WVX"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_2311653e\STacSV.exe
    c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\msiexec.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\windows\system32\wbem\WmiApSrv.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\DellTPad\Apntex.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-09 08:28:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-09 13:28

    Pre-Run: 87,069,351,936 bytes free
    Post-Run: 86,789,976,064 bytes free

    - - End Of File - - 5252C8F47D5A69C77988C4A6DB19A1CE
     
  8. GMac

    GMac TS Rookie Topic Starter

    And the ESET log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=edd103cd253c604eb91bedc30d4b6fa9
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-11-09 02:45:05
    # local_time=2010-11-09 09:45:05 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776573 100 100 0 125918880 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=133021
    # found=0
    # cleaned=0
    # scan_time=2513
     
  9. GMac

    GMac TS Rookie Topic Starter

    I'm cautiously optimistic that some of the tools you pointed me to in your first reply helped me out, but ComboFix found the same stor.cfg file that I kept deleting. I had not noticed the install.exe file that it also deleted.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I started this last night but lost my internet connection. There are 34 locked registry keys for WMP11 plus 10 additional locked registry keys. There have to be 'unlocked' using script to run through Combofix

    Yes, this is a possibility, but although the Eset scan is clean, Malwarebytes did find entries with the Backdoor.bot, on of which was a Memory Resident, which I also explained to you.

    There are also entries such as these:
    c:\users\Administrator\DoctorWeb
    C:\Quarantine
    Which I will need to check or have you delete.

    I would like to make a suggestion to you about the great number of drivers being used for Dell Wireless (10), Pantech USB (8), plus additional drivers. Just give a check when you have a chance to see if you need all of them. It does seem a bit excessive.

    You have still not clearly defined the problem and I would like you to do that please if you want to continue.
     
  11. GMac

    GMac TS Rookie Topic Starter

    HI Bobbye.

    My first indication of a problem was a redirect out of a Google search. Really, that was the only symptom that I had.

    I've usually been able to fix things like that in the past using HijackThis, Malwarebytes, or SpybotSD but this one seemed more resilient and I eventually discovered the cycbot.b that a Microsoft OneCare scan identified by name.

    So then I started attacking that, which led me here as it's been - again - pretty resilient.

    So as a result of your much-appreciated help, I think I've killed the malware, and I discovered that (apparently) it had entered proxy values for both IE and Firefox, which I have removed.

    What are your thoughts on the locked reg entries? Does combofix have a script to unlock them?

    I'm interested in your advice to look at the abundance of drivers and I'll do that - I mentioned before it is a corporate machine but in my context all that really means is that we get an intial image and off we go. I'm a road warrior so while there is a help desk available, I don't have any real resources to look at the machine any never really log into a central network; most everything we need is web-based.



    Thanks again for your time and help!
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think you need to consider the information I gave you about a Backdoor.bot.
    As for the locked Registry keys, yes, I can write script for Combofix to unlock them- all 34 of them. Then the information has to be checked, then new script written to delete any bad keys. It involves considerable time and work.

    Since most of them are related to "WMP11.AssocFile,.xx", followed by the file extension please tell me if you are having any problems with WMP and/or getting any error messages when trying to access it?

    The Drivers/Services I noted were:
    This group:All for the PANTECH USB Modem V2, all with install date of 10/27/2010
    PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys
    PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys
    PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\DRIVERS\PTUMWCSP.sys
    PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys
    PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys
    PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys
    PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\DRIVERS\PTUMWNSP.sys
    PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys
    They are all running (R) on Demand (3)

    And this group:All for the Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver, all with install date of 8/20/2008
    d553bus;Dell Wireless 5530 HSPA Mobile Broadband Minicard Device driver (WDM);c:\windows\system32\DRIVERS\d553bus.sys
    d553card;Dell Wireless 5530 HSPA Mobile Broadband Minicard i7;c:\windows\system32\DRIVERS\d553card.sys
    d553gps;Dell Wireless 5530 HSPA Mobile Broadband Minicard GPS Port;c:\windows\system32\DRIVERS\d553gps.sys
    d553mdfl;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Filter;c:\windows\system32\DRIVERS\d553mdfl.sys
    d553mdfl2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Filter;c:\windows\system32\DRIVERS\d553mdfl2.sys
    d553mdm;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem Driver;c:\windows\system32\DRIVERS\d553mdm.sys
    d553mdm2;Dell Wireless 5530 HSPA Mobile Broadband Minicard Modem 2 Driver;c:\windows\system32\DRIVERS\d553mdm2.sys
    d553nd5;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (NDIS);c:\windows\system32\DRIVERS\d553nd5.sys
    d553unic;Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter (WDM);c:\windows\system32\DRIVERS\d553unic.sys
    They are all also Running on Demand

    You have WiFi, Mobile Broadband, VPN, SecuRemote Miniport and a slew of other drivers involved in some type of internet access. They are all legitimate however, but I wanted to bring your attention to them in case you no longer use any of the modes.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...