Inactive Virus Malware Removal

[NCBucknut]

GMER Log:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-12 17:06:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST916041 rev.0003
Running: ypktmtx8.exe; Driver: C:\DOCUME~1\setup\LOCALS~1\Temp\fwloipob.sys


---- System - GMER 1.0.15 ----

SSDT 8989B1A0 ZwAlertResumeThread
SSDT 899B2258 ZwAlertThread
SSDT 85AF55A0 ZwAllocateVirtualMemory
SSDT 8920C260 ZwConnectPort
SSDT 85A39888 ZwCreateMutant
SSDT 85AF9458 ZwCreateThread
SSDT 85A44AA8 ZwFreeVirtualMemory
SSDT 85AF9420 ZwImpersonateAnonymousToken
SSDT 8A46E0F0 ZwImpersonateThread
SSDT 85A36C40 ZwMapViewOfSection
SSDT 85AF94B8 ZwOpenEvent
SSDT 89954268 ZwOpenProcessToken
SSDT 85A322C8 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB6A3F8B0]
SSDT 8A46B1F8 ZwResumeThread
SSDT 89998220 ZwSetContextThread
SSDT 85A32398 ZwSetInformationProcess
SSDT 85AF95C0 ZwSetInformationThread
SSDT 85A39850 ZwSuspendProcess
SSDT 89955958 ZwSuspendThread
SSDT 899A4D00 ZwTerminateProcess
SSDT 89992090 ZwTerminateThread
SSDT 8A3F5840 ZwUnmapViewOfSection
SSDT 85A44B78 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? vrhmqsfu.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9DA02D20
Device 9D9FF7B4

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

DDS.TXT Log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by setup at 17:37:31.64 on Thu 05/12/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3027.2407 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe
svchost.exe
C:\PROGRA~1\CrossTec\CROSST~1\client32.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Documents and Settings\setup\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Timekeeper Central] "c:\program files\kronos\timekeeper central\tkc\RemapClientDrives.exe" Timekeeper Central
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA813} - hxxp://192.168.5.50/WebClient.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296853435200
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://192.168.5.2/NELX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://sqlservernc/tms/viewers/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://192.168.5.49/user/TSBnwCam.CAB
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-4-27 293968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-6-15 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-6-15 108392]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 376096]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-11-5 47640]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-14 196912]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-6-15 1831024]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-11-5 112128]
R3 ASMMEMORYDRIVER;ASMMEMORYDRIVER;c:\program files\asset services management\ASMMemoryDriver.sys [2010-11-5 2560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-11-5 109568]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110511.033\NAVENG.SYS [2011-5-12 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110511.033\NAVEX15.SYS [2011-5-12 1393144]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2009-2-23 20504]
S0 cerc6;cerc6; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-6-15 23888]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-05-12 19:39:48 -------- d-----w- c:\docume~1\setup\applic~1\Malwarebytes
2011-05-12 19:39:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-12 19:39:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-12 19:39:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-12 19:39:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-02 14:03:21 -------- d-----w- c:\docume~1\setup\locals~1\applic~1\MotionDSP
2011-05-02 14:03:11 -------- d-----w- c:\docume~1\setup\applic~1\MotionDSP
2011-05-02 14:03:04 -------- d-----w- c:\program files\vReveal
2011-04-26 19:49:41 -------- d-----w- c:\program files\NxRemoteXH
2011-04-16 12:34:26 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-04-15 14:49:02 -------- d-----w- c:\program files\Barnstead 2.00
2011-04-15 14:48:35 249856 ------w- c:\windows\Setup1.exe
2011-04-15 14:48:33 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-04-13 20:25:51 -------- d-----w- C:\CWorksSQL-WR
2011-04-13 15:32:43 26416 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-04-13 15:32:43 17712 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-04-13 15:32:32 -------- d-----w- c:\program files\common files\Nitro PDF
2011-04-13 15:30:39 -------- d-----w- c:\docume~1\setup\locals~1\applic~1\OpenCandy
2011-04-13 15:30:37 -------- d-----w- c:\docume~1\setup\applic~1\OpenCandy
2011-04-13 15:30:36 -------- d-----w- c:\program files\Nitro PDF
.
==================== Find3M ====================
.
2011-03-08 16:53:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-08 16:53:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-28 22:37:32 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 17:37:59.03 ===============

Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/3/2010 5:58:57 PM
System Uptime: 5/12/2011 5:25:02 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0D693C
Processor: Intel Pentium III Xeon processor | Microprocessor | 1591/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 134.457 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02621028&REV_02\3&61AAA01&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02621028&REV_02\3&61AAA01&0&FB
Service:
.
==== System Restore Points ===================
.
RP1: 5/11/2011 7:55:07 AM - System Checkpoint
RP2: 5/11/2011 5:45:02 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
32 Bit HP BiDi Channel Components Installer
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
AnswerWorks Runtime
ASMBaseMSI
Broadcom Gigabit Integrated Controller
ClearType Tuning Control Panel Applet
CrossTec Remote Control
CWorksSQL-Client WR
Dell ControlPoint System Manager
Dell Resource CD
Dell Touchpad
FastStone Image Viewer 4.2
FRx 6.7 C:\Program Files\FRx Software\FRx 6.7 DrillDown Viewer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IDT Audio
InfinityQS ProFicient
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless WiFi Software
Java Auto Updater
Java(TM) 6 Update 24
Kronos Data Collection Manager (Timekeeper Central)
Kronos Timekeeper Central 4.4 (Timekeeper Central)
Legitronic Standard Series Labeling Software
LiveUpdate 3.3 (Symantec Corporation)
LogMeIn
Lotus Notes 6.5.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nitro PDF Reader
PrimoPDF -- brought to you by Nitro PDF Software
PrintKey2000
Prism Video File Converter
RICOH R5C83x/84x Media Driver Ver.3.53.02
SBClient
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SolidWorks eDrawings 2011
SonicWALL SSL-VPN NetExtender
Symantec Endpoint Protection
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Van **** Technologies CRT 2.2
vReveal
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
5/9/2011 7:13:31 AM, error: NETLOGON [5719] - No Domain Controller is available for domain NC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
5/6/2011 2:07:09 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
5/6/2011 2:06:59 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
5/6/2011 2:04:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
5/6/2011 2:04:34 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RasMan service.
5/6/2011 2:03:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wuauserv service.
5/6/2011 2:03:24 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
5/6/2011 2:02:45 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
5/6/2011 2:02:28 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SENS service.
5/5/2011 9:57:06 AM, error: iastor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
5/12/2011 4:02:29 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
5/12/2011 4:02:29 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
.
==== End Of File ===========================

 

[Bobbye]

Please keep all the programs, scans, comments for this problem on this thread.

Please repost your Mbam log here. I am going to close the other thread.

 

[NCBucknut]

Ok, sorry about that. Here is the Mbam log....

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6563

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/12/2011 3:59:24 PM
mbam-log-2011-05-12 (15-59-24).txt

Scan type: Quick scan
Objects scanned: 218667
Time elapsed: 11 minute(s), 48 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
c:\WINDOWS\Wtotya.exe (Trojan.Downloader) -> 2416 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\5GUTNY6MFK (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\R8388QA8U8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R8388QA8U8 (Trojan.Downloader) -> Value: R8388QA8U8 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Wtotya.exe (Trojan.Downloader) -> Delete on reboot.
c:\Documents and Settings\setup\Local Settings\Temp\Wrx.exe (Trojan.Downloader) -> Delete on reboot.
c:\WINDOWS\system32\tlist32pp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\setup\local settings\Temp\Wrw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

 

[Bobbye]

Please give me a description of the problems you're having. I didn't realize it wasn't on this thread also. There were several different Trojan Downloaders found and removed in Malwarebytes. Hopefully they haven't destroyed the system.

You can go ahead and run the following:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
==================================
Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan: Uninstall directions, if needed:

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================
Question: I notice you're using the AutoPatcher in lieu of the updates. I thought this was pulled due to Microsoft objections. Is this your work computer?

 

[NCBucknut]

Bobbye - I have been having problems with redirects when I click a link after conducting a search. No other problems that I've noticed. In answer to your last question, yes, this is a work computer. I will run ESET and Combofix this weekend and post the results. Thanks for your help.

 

[Bobbye]

Do you have an IT person in your office? It is a matter of concern that there were so many Trojan Downloaders on a work system. There is some possibility that the company servers may have gotten infected.


We'll see what the Eset scan and Combofix show and go from there.

 

[NCBucknut]

Bobbye - here's the logs from the ESET and Combofix scans:

ESET Log:

C:\Documents and Settings\tmudgett\Application Data\Sun\Java\Deployment\cache\6.0\43\41fc65eb-15ce3742 multiple threats

Combofix Log:

ComboFix 11-05-15.03 - setup 05/15/2011 21:15:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3027.2198 [GMT -4:00]
Running from: c:\documents and settings\setup\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\itemp\WINDOWS
c:\documents and settings\kdurbin\WINDOWS
c:\documents and settings\setup\WINDOWS
c:\documents and settings\tmudgett\My Documents\DPE.DUS
c:\documents and settings\tmudgett\WINDOWS
c:\windows\system32\spool\prtprocs\w32x86\hpzpp5no.dll
.
----- BITS: Possible infected sites -----
.
hxxp://kncpoll1
.
((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 )))))))))))))))))))))))))))))))
.
.
2011-05-15 21:57 . 2011-05-15 21:57 -------- d-----w- c:\program files\ESET
2011-05-13 19:41 . 2011-05-13 19:51 -------- d-----w- c:\documents and settings\tmudgett\Application Data\Apple Computer
2011-05-13 19:41 . 2011-05-13 19:43 -------- d-----w- c:\documents and settings\tmudgett\Local Settings\Application Data\Apple Computer
2011-05-13 19:30 . 2011-05-13 19:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-05-13 19:28 . 2011-05-13 19:31 -------- d-----w- c:\documents and settings\setup\Application Data\Apple Computer
2011-05-13 19:28 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-13 19:28 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-13 19:27 . 2011-05-13 19:27 -------- d-----w- c:\program files\iPod
2011-05-13 19:27 . 2011-05-13 19:28 -------- d-----w- c:\program files\iTunes
2011-05-13 19:27 . 2011-05-13 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-13 19:27 . 2011-05-13 19:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-05-13 19:27 . 2011-05-13 19:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-05-13 19:27 . 2011-05-13 19:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-05-13 19:25 . 2011-05-13 19:28 -------- d-----w- c:\documents and settings\setup\Local Settings\Application Data\Apple Computer
2011-05-12 19:39 . 2011-05-12 19:39 -------- d-----w- c:\documents and settings\setup\Application Data\Malwarebytes
2011-05-12 19:39 . 2011-05-12 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-12 19:39 . 2011-05-12 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-11 20:06 . 2011-05-16 01:17 -------- d-----w- c:\documents and settings\kdurbin
2011-05-02 14:03 . 2011-05-12 18:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-05-02 14:03 . 2011-05-02 14:03 -------- d-----w- c:\documents and settings\setup\Local Settings\Application Data\MotionDSP
2011-05-02 14:03 . 2011-05-02 14:03 -------- d-----w- c:\documents and settings\setup\Application Data\MotionDSP
2011-05-02 14:03 . 2011-05-02 14:03 -------- d-----w- c:\program files\vReveal
2011-04-26 19:49 . 2011-04-26 19:49 -------- d-----w- c:\program files\NxRemoteXH
2011-04-21 13:38 . 2011-05-14 11:42 664 ----a-w- c:\documents and settings\tmudgett\Local Settings\Application Data\d3d9caps.tmp
2011-04-16 12:34 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-15 14:48 . 2011-04-15 14:48 249856 ------w- c:\windows\Setup1.exe
2011-04-15 14:48 . 2011-04-15 14:48 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-08 16:53 . 2011-03-08 16:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-08 16:53 . 2011-03-08 16:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 05:33 . 2010-11-03 21:55 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-13 23:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-13 23:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-28 22:37 . 2010-11-05 14:27 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-02-22 23:06 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-13 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-13 23:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-13 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-13 23:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-13 23:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-11-05 16:41 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-13 23:00 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 134656]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-11-19 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-27 471040]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-06-15 115560]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-03-25 710480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-05-31 63048]
"Timekeeper Central"="c:\program files\Kronos\Timekeeper Central\tkc\RemapClientDrives.exe" [2002-08-27 24576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1253152]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2010-11-5 772608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-16 13:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CrossTec\\CrossTec Remote Control\\client32.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [4/27/2009 2:40 PM 293968]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [7/16/2009 1:04 PM 376096]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/27/2010 3:47 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [5/31/2010 12:31 PM 12856]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/14/2011 1:35 PM 196912]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/5/2010 10:45 AM 112128]
R3 ASMMEMORYDRIVER;ASMMEMORYDRIVER;c:\program files\Asset Services Management\ASMMemoryDriver.sys [11/5/2010 10:52 AM 2560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 7:56 AM 105592]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/5/2010 10:37 AM 109568]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 5:55 PM 20504]
S0 cerc6;cerc6; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/15/2010 5:26 PM 23888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-17 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-01-14 18:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA813} - hxxp://192.168.5.50/WebClient.cab
DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://192.168.5.49/user/TSBnwCam.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 21:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1380)
c:\windows\system32\LMIinit.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-05-15 21:20:28
ComboFix-quarantined-files.txt 2011-05-16 01:20
.
Pre-Run: 132,550,082,560 bytes free
Post-Run: 133,876,654,080 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
- - End Of File - - 11B49A3CF58C4818AAF63C653970BFE5

 

[Bobbye]

Okay, you can handle the Eset entries, then I have some questions:
The malware entries are in the Java cache: To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  There are three options on this window to clear the cache.Check all.
• . Delete Files
• .View Applications
• .View Applets
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
===================================
Questions & Comments:
1 Symantec Endpoint is suppose to be disabled when you run Combofix.
2.Is there some reason you didn't allow this?

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

3. Do you recognize enough of the following? It is a possible infected site: hxxp://kncpoll1
4. Can you give me any information about what these were:

c:\documents and settings\Default User\WINDOWS
c:\documents and settings\itemp\WINDOWS
c:\documents and settings\kdurbin\WINDOWS
c:\documents and settings\setup\WINDOWS
c:\documents and settings\tmudgett\WINDOWS

5. And what these are? They are printer related:

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\spool\prtprocs\w32x86\hpzpp5no.dll
c:\documents and settings\tmudgett\My Documents\DPE.DUS

6. And what are these Directories for Apple Computer? All on 2011-05-13

c:\documents and settings\tmudgett\Application Data\Apple Computer
c:\documents and settings\tmudgett\Local Settings\Application Data\Apple Computer
c:\documents and settings\LocalService\Application Data\Apple Computer
c:\documents and settings\setup\Application Data\Apple Computer

============================================
The deletions are puzzling as are some of the entries.
I also notice you are connecting remotely. Does that mean you do not have an IT person available?

 

[NCBucknut]

Bobbye - thanks for your help with this issue. I removed the Java temporary files as instructed. Here's my responses to your questions:

1) I did disable Symantec before I ran the scan, but received the message you referred to. I allowed it to run because I did disable everything first.
2) I was surprised to see this message, because I allowed the recovery console to install when Combofix ran.
3) This is a network station that collects SPC data.
4) These are entries from our network administrators. Not sure how/why they are entered.
5) Not sure on these entries. Maybe related to network printers?
6) Received a new iphone on 5/13 and itunes was installed on my laptop.

We do have an IT person available, but he was on vacation the last week and I wanted to try to correct the problem without taking up his time when he returned. I did let him know about the trojans and to check our network.

 

[Bobbye]

Since many of the entries are either work related or 'I don't know what they are', if the office IT person has returned, I would prefer-and it would be safer for you- to have him/her check the system.

5 Good Reasons why I shouldn't be working on your work computer:

1) I did disable Symantec before I ran the scan, but received the message you referred to. I allowed it to run because I did disable everything first. Most office environments will not allow the endpoint protection to be disabled-or-only the administrator can disable it.
2) I was surprised to see this message, because I allowed the recovery console to install when Combofix ran. You should check and see if the recovery Console was actually installed.
3) This is a network station that collects SPC data. I don't know what 'SPC data is I am not qualified to make changes on a network workstation.
4) These are entries from our network administrators. Not sure how/why they are entered.These entries were removed by Combofix. It is possible that they were a False Positive. Only your ntw. admin. can determine that.
5) Not sure on these entries. Maybe related to network printers? They are related to the printer. Some were removed by Combofix- another possible False Positive.
6) Received a new iphone on 5/13 and itunes was installed on my laptop. But the entries are showing on your workstation.