Tech Support Forum - View Single Post - HELP! Constant popups and extremely slow computer

moonkitten · 01-10-2009, 06:09 AM

I had to use Safe Mode with Networking and McAfee seemed to start up anyway. At least, Combofix thought it did.

Here is the log:

ComboFix 09-01-09.01 - t850260 2009-01-10 7:54:44.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3290 [GMT -5:00]
Running from: c:\documents and settings\t850260\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\afupavag.ini
c:\windows\system32\amikikez.ini
c:\windows\system32\azabajul.ini
c:\windows\system32\efcAQIxW.dll
c:\windows\system32\emanijag.ini
c:\windows\system32\ofayupub.ini
c:\windows\system32\omibivup.ini
c:\windows\system32\ozivavur.ini
c:\windows\system32\pewejima.dll
c:\windows\system32\uleyuzad.ini
c:\windows\system32\unigofep.ini
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://ONSMSPS2:80
hxxp://ONSMSPS2.corp.ads:80
hxxp://ONSMSDP2:80
.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-10 08:01 . 2009-01-10 08:01 16,384 --a----t- c:\temp\Perflib_Perfdata_4e8.dat
2009-01-10 08:01 . 2009-01-10 08:01 16,384 --a----t- c:\temp\Perflib_Perfdata_238.dat
2009-01-09 16:30 . 2009-01-09 17:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 16:17 . 2009-01-09 16:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-09 15:57 . 2009-01-09 15:57 250 --a------ c:\windows\gmer.ini
2009-01-09 09:34 . 2009-01-09 09:35 <DIR> d-------- c:\documents and settings\t850260\workspace
2009-01-09 09:29 . 2009-01-09 10:06 <DIR> d-------- C:\eclipse
2009-01-07 11:29 . 2007-08-10 19:53 76,288 --a------ c:\windows\system32\DWRCSET.DLL
2009-01-07 11:29 . 2007-08-01 22:05 73,728 --a------ c:\windows\system32\DWRCST.EXE
2009-01-07 11:29 . 2007-08-01 22:05 65,536 --a------ c:\windows\system32\DWRCShell.dll
2009-01-07 11:28 . 2007-08-10 19:47 223,232 --a------ c:\windows\system32\DWRCS.EXE
2009-01-07 11:28 . 2007-08-01 22:05 53,248 --a------ c:\windows\system32\DWRCK.DLL
2009-01-07 09:34 . 2009-01-07 09:34 <DIR> d-------- c:\documents and settings\t850260\.unlimitedftp
2009-01-07 08:43 . 2009-01-07 08:43 <DIR> d-------- c:\program files\Common Files\Mercury Interactive
2009-01-07 08:43 . 2009-01-07 11:38 221 --a------ c:\windows\mercury.ini
2009-01-06 07:52 . 2009-01-06 07:52 <DIR> d-------- c:\program files\trend micro
2009-01-05 13:34 . 2009-01-05 13:34 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-05 13:34 . 2009-01-05 13:34 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-01 12:02 . 2009-01-09 18:33 <DIR> d-------- C:\Quarantine
2008-12-17 19:05 . 2008-12-17 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-12-17 19:01 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-17 19:01 . 2005-03-14 12:03 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-17 19:01 . 2005-03-14 12:05 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-17 19:01 . 2005-03-08 11:55 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-17 19:01 . 2005-03-14 12:05 69,632 --a------ c:\windows\system32\HPZipm12.exe
2008-12-17 19:01 . 2005-03-14 13:39 65,536 --a------ c:\windows\system32\HPZinw12.exe
2008-12-17 19:01 . 2005-03-08 11:55 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-17 19:00 . 2008-12-17 19:09 <DIR> d-------- c:\program files\HP
2008-12-17 18:59 . 2008-12-17 19:07 105,070 --a------ c:\windows\HPFins09.dat
2008-12-17 18:59 . 2005-11-01 04:29 3,732 --a------ c:\windows\hpfmdl09.dat
2008-12-17 18:58 . 2005-10-27 04:51 77,824 -ra------ c:\windows\system32\hpzids01.dll
2008-12-17 18:58 . 2005-10-14 22:42 37,376 --a------ c:\windows\system32\hpz3l43a.dll
2008-12-15 14:23 . 2008-12-15 14:23 <DIR> d-------- c:\program files\Microsoft
2008-12-15 14:22 . 2008-12-15 14:22 <DIR> d-------- c:\program files\Windows Live SkyDrive
2008-12-15 14:22 . 2008-12-15 14:22 <DIR> d-------- c:\program files\Windows Live
2008-12-15 13:05 . 2008-12-15 13:05 <DIR> d-------- C:\apache-ant-1.7.0
2008-12-15 10:36 . 2008-12-15 10:36 <DIR> d-------- C:\oracle
2008-12-15 09:53 . 2008-12-15 10:36 <DIR> d-------- c:\program files\Oracle
2008-12-15 09:11 . 2008-01-26 06:25 <DIR> d---s---- c:\documents and settings\x112578\UserData
2008-12-15 09:11 . 2006-10-31 14:02 <DIR> d-------- c:\documents and settings\x112578\Application Data\Leadertech
2008-12-15 09:11 . 2008-01-26 01:55 <DIR> d-------- c:\documents and settings\x112578\Application Data\CyberLink
2008-12-15 09:11 . 2006-10-04 17:49 <DIR> d-------- c:\documents and settings\x112578\Application Data\AdobeUM
2008-12-15 09:11 . 2008-12-15 09:11 <DIR> d-------- c:\documents and settings\x112578
2008-12-15 08:06 . 2008-12-15 08:06 <DIR> d-------- C:\PointBase
2008-12-15 07:50 . 2008-12-15 07:59 <DIR> d-------- C:\bea
2008-12-14 15:16 . 2008-12-14 15:16 <DIR> d-------- c:\program files\Common Files\Windows Live
2008-12-14 11:22 . 2008-12-14 11:22 <DIR> d-------- c:\documents and settings\t850260\Application Data\Helios
2008-12-14 11:21 . 2008-12-14 11:21 <DIR> d-------- c:\program files\TextPad 5
2008-12-14 11:05 . 2009-01-10 08:02 <DIR> d-------- C:\MDT
2008-12-14 10:57 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-14 10:57 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2008-12-14 08:45 . 2008-12-14 08:45 <DIR> d-------- c:\documents and settings\t850260\Application Data\Windows Search
2008-12-13 08:33 . 2008-12-13 18:51 <DIR> d-------- c:\program files\WinReg
2008-12-12 20:19 . 2008-12-12 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-12 19:56 . 2008-12-12 19:56 <DIR> d-------- c:\documents and settings\t850260\Application Data\Quest Software
2008-12-12 19:17 . 2009-01-06 07:51 <DIR> d-------- c:\documents and settings\t850260\Application Data\CoreFTP
2008-12-12 17:04 . 2008-12-12 17:04 0 --a------ c:\windows\nsreg.dat
2008-12-12 16:50 . 2009-01-05 07:43 <DIR> d---s---- c:\temp\Temporary Internet Files
2008-12-12 16:50 . 2008-12-12 16:50 <DIR> d---s---- c:\temp\History
2008-12-12 16:50 . 2009-01-10 08:03 <DIR> d---s---- c:\temp\Cookies
2008-12-12 13:43 . 2008-12-12 13:44 <DIR> d-------- c:\program files\Macromedia
2008-12-12 13:43 . 2008-12-12 13:44 <DIR> d-------- c:\program files\Common Files\Macromedia
2008-12-12 13:28 . 2008-12-22 07:45 <DIR> d-------- c:\documents and settings\t850260\Tracing
2008-12-12 13:15 . 2008-12-17 18:57 <DIR> d-------- C:\C-backup
2008-12-12 13:11 . 2008-12-12 13:12 <DIR> d-------- c:\documents and settings\t654987\Application Data\ICQ
2008-12-12 13:08 . 2008-12-12 13:08 <DIR> d-------- c:\program files\CoreFTP
2008-12-12 12:52 . 2008-12-26 07:59 <DIR> d-------- C:\D-backup
2008-12-12 12:44 . 2008-12-12 12:44 <DIR> d-------- c:\documents and settings\t850260\Application Data\Windows Desktop Search
2008-12-12 12:43 . 2009-01-08 08:25 <DIR> d---s---- c:\documents and settings\t850260\UserData
2008-12-12 12:43 . 2006-10-31 14:02 <DIR> d-------- c:\documents and settings\t850260\Application Data\Leadertech
2008-12-12 12:43 . 2008-01-26 01:55 <DIR> d-------- c:\documents and settings\t850260\Application Data\CyberLink
2008-12-12 12:43 . 2006-10-04 17:49 <DIR> d-------- c:\documents and settings\t850260\Application Data\AdobeUM
2008-12-12 12:43 . 2009-01-09 09:34 <DIR> d-------- c:\documents and settings\t850260
2008-12-12 08:26 . 2009-01-10 07:22 <DIR> d-------- C:\mvfslogs
2008-12-11 12:20 . 2008-02-22 05:46 360,448 --a------ c:\windows\system32\nvudisp.exe
2008-12-11 12:20 . 2009-01-10 08:02 169,875 --a------ c:\windows\system32\nvapps.xml
2008-12-11 12:20 . 2008-02-22 05:46 17,848 --a------ c:\windows\system32\nvdisp.nvu
2008-12-11 12:19 . 2008-02-22 07:06 360,448 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-11 11:36 . 2008-12-11 11:36 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared
2008-12-11 11:08 . 2007-05-24 17:15 330,544 --a------ c:\windows\system32\drivers\mvfs50.sys
2008-12-11 11:08 . 2007-03-30 16:09 54,835 --a------ c:\windows\system32\ccasenp.dll
2008-12-11 11:08 . 2007-03-30 16:11 28,220 --a------ c:\windows\system32\cccredmgr.exe
2008-12-11 11:08 . 2007-04-12 10:19 20,019 --a------ c:\windows\system32\nplogon.exe
2008-12-11 11:08 . 2007-03-30 16:09 15,412 --a------ c:\windows\system32\ccnotify.dll
2008-12-11 10:57 . 2008-12-11 11:00 <DIR> d-------- c:\program files\Rational
2008-12-11 10:52 . 2008-12-11 10:52 <DIR> d-------- c:\program files\WinSCP
2008-12-11 10:48 . 2008-12-11 10:48 <DIR> d-------- c:\program files\SecureCRT
2008-12-11 10:48 . 2008-12-11 10:48 <DIR> d-------- c:\documents and settings\t654987\Application Data\VanDyke
2008-12-11 10:42 . 2008-12-11 10:42 <DIR> d-------- c:\program files\Microsoft Visual SourceSafe
2008-12-11 10:38 . 1996-07-18 13:06 297,472 --a------ c:\windows\uninst.exe
2008-12-11 10:37 . 2008-12-11 10:37 <DIR> d-------- c:\documents and settings\t654987\WINDOWS
2008-12-11 10:32 . 2008-12-11 10:32 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-11 10:32 . 2008-12-11 10:32 <DIR> d-------- c:\program files\Common Files\Quest Shared
2008-12-11 10:32 . 2008-12-11 10:32 <DIR> d-------- c:\documents and settings\t654987\Application Data\Software
2008-12-11 10:32 . 2008-12-11 11:05 <DIR> d-------- c:\documents and settings\t654987\Application Data\Quest Software
2008-12-11 10:28 . 2008-12-11 10:28 <DIR> d-------- c:\program files\Raize
2008-12-11 10:28 . 2008-12-11 10:33 <DIR> d-------- c:\program files\Quest Software
2008-12-11 10:28 . 2008-12-11 10:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raize
2008-12-11 10:28 . 2008-12-11 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Quest Software
2008-12-11 10:28 . 2002-08-09 08:00 1,381,376 --a------ c:\windows\system32\vcl70.bpl
2008-12-11 10:28 . 2002-08-09 08:00 778,240 --a------ c:\windows\system32\rtl70.bpl
2008-12-11 10:28 . 2002-08-09 08:00 227,328 --a------ c:\windows\system32\vclie70.bpl
2008-12-11 10:28 . 2005-01-08 03:00 24,064 --a------ c:\windows\system32\CS30Inspectors70.bpl
2008-12-11 10:27 . 2008-12-11 10:27 <DIR> d-------- c:\program files\PuTTY58
2008-12-11 10:20 . 2008-12-11 10:20 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-11 10:20 . 2008-12-11 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-11 10:17 . 2008-12-11 10:17 <DIR> d-------- c:\documents and settings\t654987\Tracing
2008-12-11 10:10 . 2008-12-11 12:03 <DIR> d-------- c:\documents and settings\t654987\Application Data\U3
2008-12-11 05:13 . 2008-12-11 05:13 <DIR> d-------- C:\Self Help
2008-12-11 05:13 . 2005-04-06 15:04 4,286 --a------ c:\windows\HelpWinXP.ico
2008-12-11 04:03 . 2008-06-13 08:10 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2008-12-11 03:44 . 2003-11-25 14:23 3,141 --a------ c:\windows\sendsched.vbs
2008-12-11 02:44 . 2008-12-24 06:44 <DIR> d-------- c:\windows\system32\VPCache
2008-12-10 16:36 . 2008-12-10 16:37 <DIR> d-------- c:\windows\system32\ccmsetup
2008-12-10 16:36 . 2008-12-10 16:37 <DIR> d-------- c:\windows\system32\CCM
2008-12-10 16:36 . 2008-12-10 16:36 <DIR> d-------- c:\windows\ms
2008-12-10 16:23 . 2008-12-10 16:23 <DIR> d-------- c:\program files\HEAT
2008-12-10 16:23 . 2008-12-10 16:23 <DIR> d-------- c:\program files\Common Files\Wintertree
2008-12-10 16:23 . 2005-06-30 12:04 2,121,728 --a------ c:\windows\system32\BCGCBPRO730.dll
2008-12-10 16:23 . 2005-06-30 12:03 28,672 --a------ c:\windows\system32\BCGPOleAcc.dll
2008-12-10 16:22 . 2006-09-08 13:29 2,516 --a------ c:\windows\system32\drivers\default.bin
2008-12-10 16:22 . 2006-09-08 13:29 2,516 --a------ c:\windows\system32\default.bin
2008-12-10 16:21 . 2008-12-10 16:21 <DIR> d-------- c:\program files\CheckPoint
2008-12-10 16:20 . 2009-01-10 08:01 <DIR> d-------- c:\temp\hsperfdata_SYSTEM
2008-12-10 16:20 . 2008-12-10 16:20 <DIR> d-------- c:\program files\marimba

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 12:52 --------- d-----w c:\program files\Java
2008-12-15 12:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-12 18:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 17:01 --------- d-----w c:\program files\Common Files\Adobe
2008-12-10 21:01 4,128 ----a-w c:\windows\system32\drivers\INFCACHE.1
1601-01-01 00:12 18,432 --sha-w c:\windows\system32\wojukoro.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-04-04 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-11-01 176216]
"CCDoctorLogonTesting"="c:\program files\Rational\ClearCase\bin\ccdoctor.exe" [2007-05-16 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2008-02-22 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2008-02-22 c:\windows\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2008-02-22 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\t654987\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-12-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-27 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ccnotify]
2007-03-30 16:09 15412 c:\windows\system32\ccnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2006-09-08 13:29 24686 c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\corp.ads\netlogon\Secure Scripts\LocalAdmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=SMS2003.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=CopySelfHelp.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=MarimbaCheck.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\0]
"Script"=SetDefaults.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\1]
"Script"=WirelessDNS.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\0\0]
"Script"=UserInit.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\1\0]
"Script"=User_IM_RunOnce.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\2\0]
"Script"=ResetUserDS.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\3\0]
"Script"=LogonScript.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\3\1]
"Script"=TELUS_Logos.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\4\0]
"Script"=EmergisCommunicator.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Executive Software\\Diskeeper\\dkservice.exe"=
"c:\\Program Files\\Marimba\\tuner\\lib\\jre\\bin\\java.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\SAPgui.exe"=
"c:\\WINDOWS\\system32\\dmremote.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc.exe"=
"c:\\WINDOWS\\system32\\mnmsrvc.exe"=
"c:\\WINDOWS\\system32\\rsh.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"445:TCP"= 445:TCP:File/Print Sharing
"137:UDP"= 137:UDP:File/Print Sharing
"138:UDP"= 138:UDP:File/Print Sharing
"135:tcp"= 135:tcp:Remote Assistance
"139:udp"= 139:udp:File/Print Sharing
"21:tcp"= 21:tcp:FTP
"2701:tcp"= 2701:tcp:SMS Remote contact, reboot, and ping
"2702:tcp"= 2702:tcp:SMS Remote Control
"2703:tcp"= 2703:tcp:SMS Chat
"2704:tcp"= 2704:tcp:SMS File Transfer
"3389:*"= 3389:Remote Desktop
"6129:tcp"= 6129:tcp:DameWare Remote Control

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-02-15 26624]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2006-09-08 2234320]
R1 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.SYS [2006-11-16 18432]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-02-07 2944]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-09-19 24521]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2008-12-11 330544]
R4 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2006-09-08 36464]
R4 MarimbaTunerwin;MarimbaTuner_win;c:\program files\marimba\tuner\Tuner.exe [2007-08-01 36953]
R4 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2006-09-08 109232]
R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2006-09-08 671472]
S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2008-02-19 71168]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-11-20 87936]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-09-19 155216]
S3 OracleOracleHome92ClientCache;OracleOracleHome92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [2002-04-26 242328]
S3 pmxps2m;PMXPS2M;c:\windows\system32\drivers\pmxps2m.sys [2006-11-16 16384]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2006-12-04 14336]
S4 Albd;Atria Location Broker;c:\program files\Rational\ClearCase\bin\albd_server.exe [2007-03-30 176186]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5544d78b-3018-11dd-8cca-806d6172696f}]
\Shell\AutoRun\command - NOTEPAD.EXE ReadMe.txt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c49edc36-c898-11dd-acd0-444553544200}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\CurrentUserProfilePrep]
c:\support\CUPrep.cmd
.
- - - - ORPHANS REMOVED - - - -

BHO-{87c675d4-abe2-4f90-bb49-295f8f49c5dd} - (no file)
HKLM-Run-PMX Daemon - ICO.EXE

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://emergisweb/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intranet.telusquebec.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

c:\windows\system32\capicom.dll - c:\windows\Downloaded Program Files\Spider91.ocx
O16 -: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF}
hxxps://www.emergistestdirector.com/qcbin/Spider91.cab
c:\windows\Downloaded Program Files\Spider91.inf
FF - ProfilePath - c:\documents and settings\t850260\Application Data\Mozilla\Firefox\Profiles\ysuot3ao.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 08:03:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1816)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\ccnotify.dll
c:\windows\system32\ccasenp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\windows\system32\scardsvr.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\DWRCS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Rational\ClearCase\bin\lockmgr.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\locator.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\DWRCST.EXE
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\cccredmgr.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\msiexec.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\marimba\tuner\.marimba\MarimbaTuner_win\ch.3\data\sum.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\marimba\tuner\lib\minituner.exe
.
**************************************************************************
.
Completion time: 2009-01-10 8

30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 13

26

Pre-Run: 92,718,993,408 bytes free
Post-Run: 92,958,793,728 bytes free

398

01-10-2009, 06:09 AM	#7 (permalink)
moonkitten Registered User Join Date: Jan 2009 Posts: 7 OS: XP	Re: HELP! Constant popups and extremely slow computer I had to use Safe Mode with Networking and McAfee seemed to start up anyway. At least, Combofix thought it did. Here is the log: ComboFix 09-01-09.01 - t850260 2009-01-10 7:54:44.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3290 [GMT -5:00] Running from: c:\documents and settings\t850260\Desktop\ComboFix.exe AV: McAfee VirusScan Enterprise On-access scanning enabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\afupavag.ini c:\windows\system32\amikikez.ini c:\windows\system32\azabajul.ini c:\windows\system32\efcAQIxW.dll c:\windows\system32\emanijag.ini c:\windows\system32\ofayupub.ini c:\windows\system32\omibivup.ini c:\windows\system32\ozivavur.ini c:\windows\system32\pewejima.dll c:\windows\system32\uleyuzad.ini c:\windows\system32\unigofep.ini c:\windows\system32\x64 ----- BITS: Possible infected sites ----- hxxp://ONSMSPS2:80 hxxp://ONSMSPS2.corp.ads:80 hxxp://ONSMSDP2:80 . ((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 ))))))))))))))))))))))))))))))) . 2009-01-10 08:01 . 2009-01-10 08:01 16,384 --a----t- c:\temp\Perflib_Perfdata_4e8.dat 2009-01-10 08:01 . 2009-01-10 08:01 16,384 --a----t- c:\temp\Perflib_Perfdata_238.dat 2009-01-09 16:30 . 2009-01-09 17:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-09 16:17 . 2009-01-09 16:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-09 15:57 . 2009-01-09 15:57 250 --a------ c:\windows\gmer.ini 2009-01-09 09:34 . 2009-01-09 09:35 <DIR> d-------- c:\documents and settings\t850260\workspace 2009-01-09 09:29 . 2009-01-09 10:06 <DIR> d-------- C:\eclipse 2009-01-07 11:29 . 2007-08-10 19:53 76,288 --a------ c:\windows\system32\DWRCSET.DLL 2009-01-07 11:29 . 2007-08-01 22:05 73,728 --a------ c:\windows\system32\DWRCST.EXE 2009-01-07 11:29 . 2007-08-01 22:05 65,536 --a------ c:\windows\system32\DWRCShell.dll 2009-01-07 11:28 . 2007-08-10 19:47 223,232 --a------ c:\windows\system32\DWRCS.EXE 2009-01-07 11:28 . 2007-08-01 22:05 53,248 --a------ c:\windows\system32\DWRCK.DLL 2009-01-07 09:34 . 2009-01-07 09:34 <DIR> d-------- c:\documents and settings\t850260\.unlimitedftp 2009-01-07 08:43 . 2009-01-07 08:43 <DIR> d-------- c:\program files\Common Files\Mercury Interactive 2009-01-07 08:43 . 2009-01-07 11:38 221 --a------ c:\windows\mercury.ini 2009-01-06 07:52 . 2009-01-06 07:52 <DIR> d-------- c:\program files\trend micro 2009-01-05 13:34 . 2009-01-05 13:34 410,984 --a------ c:\windows\system32\deploytk.dll 2009-01-05 13:34 . 2009-01-05 13:34 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-01-01 12:02 . 2009-01-09 18:33 <DIR> d-------- C:\Quarantine 2008-12-17 19:05 . 2008-12-17 19:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP 2008-12-17 19:01 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe 2008-12-17 19:01 . 2005-03-14 12:03 278,584 --a------ c:\windows\system32\HPZidr12.dll 2008-12-17 19:01 . 2005-03-14 12:05 204,800 --a------ c:\windows\system32\HPZipr12.dll 2008-12-17 19:01 . 2005-03-08 11:55 94,208 --a------ c:\windows\system32\HPZipt12.dll 2008-12-17 19:01 . 2005-03-14 12:05 69,632 --a------ c:\windows\system32\HPZipm12.exe 2008-12-17 19:01 . 2005-03-14 13:39 65,536 --a------ c:\windows\system32\HPZinw12.exe 2008-12-17 19:01 . 2005-03-08 11:55 57,344 --a------ c:\windows\system32\HPZisn12.dll 2008-12-17 19:00 . 2008-12-17 19:09 <DIR> d-------- c:\program files\HP 2008-12-17 18:59 . 2008-12-17 19:07 105,070 --a------ c:\windows\HPFins09.dat 2008-12-17 18:59 . 2005-11-01 04:29 3,732 --a------ c:\windows\hpfmdl09.dat 2008-12-17 18:58 . 2005-10-27 04:51 77,824 -ra------ c:\windows\system32\hpzids01.dll 2008-12-17 18:58 . 2005-10-14 22:42 37,376 --a------ c:\windows\system32\hpz3l43a.dll 2008-12-15 14:23 . 2008-12-15 14:23 <DIR> d-------- c:\program files\Microsoft 2008-12-15 14:22 . 2008-12-15 14:22 <DIR> d-------- c:\program files\Windows Live SkyDrive 2008-12-15 14:22 . 2008-12-15 14:22 <DIR> d-------- c:\program files\Windows Live 2008-12-15 13:05 . 2008-12-15 13:05 <DIR> d-------- C:\apache-ant-1.7.0 2008-12-15 10:36 . 2008-12-15 10:36 <DIR> d-------- C:\oracle 2008-12-15 09:53 . 2008-12-15 10:36 <DIR> d-------- c:\program files\Oracle 2008-12-15 09:11 . 2008-01-26 06:25 <DIR> d---s---- c:\documents and settings\x112578\UserData 2008-12-15 09:11 . 2006-10-31 14:02 <DIR> d-------- c:\documents and settings\x112578\Application Data\Leadertech 2008-12-15 09:11 . 2008-01-26 01:55 <DIR> d-------- c:\documents and settings\x112578\Application Data\CyberLink 2008-12-15 09:11 . 2006-10-04 17:49 <DIR> d-------- c:\documents and settings\x112578\Application Data\AdobeUM 2008-12-15 09:11 . 2008-12-15 09:11 <DIR> d-------- c:\documents and settings\x112578 2008-12-15 08:06 . 2008-12-15 08:06 <DIR> d-------- C:\PointBase 2008-12-15 07:50 . 2008-12-15 07:59 <DIR> d-------- C:\bea 2008-12-14 15:16 . 2008-12-14 15:16 <DIR> d-------- c:\program files\Common Files\Windows Live 2008-12-14 11:22 . 2008-12-14 11:22 <DIR> d-------- c:\documents and settings\t850260\Application Data\Helios 2008-12-14 11:21 . 2008-12-14 11:21 <DIR> d-------- c:\program files\TextPad 5 2008-12-14 11:05 . 2009-01-10 08:02 <DIR> d-------- C:\MDT 2008-12-14 10:57 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys 2008-12-14 10:57 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys 2008-12-14 08:45 . 2008-12-14 08:45 <DIR> d-------- c:\documents and settings\t850260\Application Data\Windows Search 2008-12-13 08:33 . 2008-12-13 18:51 <DIR> d-------- c:\program files\WinReg 2008-12-12 20:19 . 2008-12-12 20:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles 2008-12-12 19:56 . 2008-12-12 19:56 <DIR> d-------- c:\documents and settings\t850260\Application Data\Quest Software 2008-12-12 19:17 . 2009-01-06 07:51 <DIR> d-------- c:\documents and settings\t850260\Application Data\CoreFTP 2008-12-12 17:04 . 2008-12-12 17:04 0 --a------ c:\windows\nsreg.dat 2008-12-12 16:50 . 2009-01-05 07:43 <DIR> d---s---- c:\temp\Temporary Internet Files 2008-12-12 16:50 . 2008-12-12 16:50 <DIR> d---s---- c:\temp\History 2008-12-12 16:50 . 2009-01-10 08:03 <DIR> d---s---- c:\temp\Cookies 2008-12-12 13:43 . 2008-12-12 13:44 <DIR> d-------- c:\program files\Macromedia 2008-12-12 13:43 . 2008-12-12 13:44 <DIR> d-------- c:\program files\Common Files\Macromedia 2008-12-12 13:28 . 2008-12-22 07:45 <DIR> d-------- c:\documents and settings\t850260\Tracing 2008-12-12 13:15 . 2008-12-17 18:57 <DIR> d-------- C:\C-backup 2008-12-12 13:11 . 2008-12-12 13:12 <DIR> d-------- c:\documents and settings\t654987\Application Data\ICQ 2008-12-12 13:08 . 2008-12-12 13:08 <DIR> d-------- c:\program files\CoreFTP 2008-12-12 12:52 . 2008-12-26 07:59 <DIR> d-------- C:\D-backup 2008-12-12 12:44 . 2008-12-12 12:44 <DIR> d-------- c:\documents and settings\t850260\Application Data\Windows Desktop Search 2008-12-12 12:43 . 2009-01-08 08:25 <DIR> d---s---- c:\documents and settings\t850260\UserData 2008-12-12 12:43 . 2006-10-31 14:02 <DIR> d-------- c:\documents and settings\t850260\Application Data\Leadertech 2008-12-12 12:43 . 2008-01-26 01:55 <DIR> d-------- c:\documents and settings\t850260\Application Data\CyberLink 2008-12-12 12:43 . 2006-10-04 17:49 <DIR> d-------- c:\documents and settings\t850260\Application Data\AdobeUM 2008-12-12 12:43 . 2009-01-09 09:34 <DIR> d-------- c:\documents and settings\t850260 2008-12-12 08:26 . 2009-01-10 07:22 <DIR> d-------- C:\mvfslogs 2008-12-11 12:20 . 2008-02-22 05:46 360,448 --a------ c:\windows\system32\nvudisp.exe 2008-12-11 12:20 . 2009-01-10 08:02 169,875 --a------ c:\windows\system32\nvapps.xml 2008-12-11 12:20 . 2008-02-22 05:46 17,848 --a------ c:\windows\system32\nvdisp.nvu 2008-12-11 12:19 . 2008-02-22 07:06 360,448 --a------ c:\windows\system32\NVUNINST.EXE 2008-12-11 11:36 . 2008-12-11 11:36 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared 2008-12-11 11:08 . 2007-05-24 17:15 330,544 --a------ c:\windows\system32\drivers\mvfs50.sys 2008-12-11 11:08 . 2007-03-30 16:09 54,835 --a------ c:\windows\system32\ccasenp.dll 2008-12-11 11:08 . 2007-03-30 16:11 28,220 --a------ c:\windows\system32\cccredmgr.exe 2008-12-11 11:08 . 2007-04-12 10:19 20,019 --a------ c:\windows\system32\nplogon.exe 2008-12-11 11:08 . 2007-03-30 16:09 15,412 --a------ c:\windows\system32\ccnotify.dll 2008-12-11 10:57 . 2008-12-11 11:00 <DIR> d-------- c:\program files\Rational 2008-12-11 10:52 . 2008-12-11 10:52 <DIR> d-------- c:\program files\WinSCP 2008-12-11 10:48 . 2008-12-11 10:48 <DIR> d-------- c:\program files\SecureCRT 2008-12-11 10:48 . 2008-12-11 10:48 <DIR> d-------- c:\documents and settings\t654987\Application Data\VanDyke 2008-12-11 10:42 . 2008-12-11 10:42 <DIR> d-------- c:\program files\Microsoft Visual SourceSafe 2008-12-11 10:38 . 1996-07-18 13:06 297,472 --a------ c:\windows\uninst.exe 2008-12-11 10:37 . 2008-12-11 10:37 <DIR> d-------- c:\documents and settings\t654987\WINDOWS 2008-12-11 10:32 . 2008-12-11 10:32 <DIR> d-------- c:\program files\MSXML 4.0 2008-12-11 10:32 . 2008-12-11 10:32 <DIR> d-------- c:\program files\Common Files\Quest Shared 2008-12-11 10:32 . 2008-12-11 10:32 <DIR> d-------- c:\documents and settings\t654987\Application Data\Software 2008-12-11 10:32 . 2008-12-11 11:05 <DIR> d-------- c:\documents and settings\t654987\Application Data\Quest Software 2008-12-11 10:28 . 2008-12-11 10:28 <DIR> d-------- c:\program files\Raize 2008-12-11 10:28 . 2008-12-11 10:33 <DIR> d-------- c:\program files\Quest Software 2008-12-11 10:28 . 2008-12-11 10:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raize 2008-12-11 10:28 . 2008-12-11 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Quest Software 2008-12-11 10:28 . 2002-08-09 08:00 1,381,376 --a------ c:\windows\system32\vcl70.bpl 2008-12-11 10:28 . 2002-08-09 08:00 778,240 --a------ c:\windows\system32\rtl70.bpl 2008-12-11 10:28 . 2002-08-09 08:00 227,328 --a------ c:\windows\system32\vclie70.bpl 2008-12-11 10:28 . 2005-01-08 03:00 24,064 --a------ c:\windows\system32\CS30Inspectors70.bpl 2008-12-11 10:27 . 2008-12-11 10:27 <DIR> d-------- c:\program files\PuTTY58 2008-12-11 10:20 . 2008-12-11 10:20 <DIR> d-------- c:\program files\Common Files\Macrovision Shared 2008-12-11 10:20 . 2008-12-11 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet 2008-12-11 10:17 . 2008-12-11 10:17 <DIR> d-------- c:\documents and settings\t654987\Tracing 2008-12-11 10:10 . 2008-12-11 12:03 <DIR> d-------- c:\documents and settings\t654987\Application Data\U3 2008-12-11 05:13 . 2008-12-11 05:13 <DIR> d-------- C:\Self Help 2008-12-11 05:13 . 2005-04-06 15:04 4,286 --a------ c:\windows\HelpWinXP.ico 2008-12-11 04:03 . 2008-06-13 08:10 272,128 --a------ c:\windows\system32\drivers\bthport.sys 2008-12-11 03:44 . 2003-11-25 14:23 3,141 --a------ c:\windows\sendsched.vbs 2008-12-11 02:44 . 2008-12-24 06:44 <DIR> d-------- c:\windows\system32\VPCache 2008-12-10 16:36 . 2008-12-10 16:37 <DIR> d-------- c:\windows\system32\ccmsetup 2008-12-10 16:36 . 2008-12-10 16:37 <DIR> d-------- c:\windows\system32\CCM 2008-12-10 16:36 . 2008-12-10 16:36 <DIR> d-------- c:\windows\ms 2008-12-10 16:23 . 2008-12-10 16:23 <DIR> d-------- c:\program files\HEAT 2008-12-10 16:23 . 2008-12-10 16:23 <DIR> d-------- c:\program files\Common Files\Wintertree 2008-12-10 16:23 . 2005-06-30 12:04 2,121,728 --a------ c:\windows\system32\BCGCBPRO730.dll 2008-12-10 16:23 . 2005-06-30 12:03 28,672 --a------ c:\windows\system32\BCGPOleAcc.dll 2008-12-10 16:22 . 2006-09-08 13:29 2,516 --a------ c:\windows\system32\drivers\default.bin 2008-12-10 16:22 . 2006-09-08 13:29 2,516 --a------ c:\windows\system32\default.bin 2008-12-10 16:21 . 2008-12-10 16:21 <DIR> d-------- c:\program files\CheckPoint 2008-12-10 16:20 . 2009-01-10 08:01 <DIR> d-------- c:\temp\hsperfdata_SYSTEM 2008-12-10 16:20 . 2008-12-10 16:20 <DIR> d-------- c:\program files\marimba . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-06 12:52 --------- d-----w c:\program files\Java 2008-12-15 12:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-12 18:44 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-11 17:01 --------- d-----w c:\program files\Common Files\Adobe 2008-12-10 21:01 4,128 ----a-w c:\windows\system32\drivers\INFCACHE.1 1601-01-01 00:12 18,432 --sha-w c:\windows\system32\wojukoro.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-04-04 136512] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152] "DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-11-01 176216] "CCDoctorLogonTesting"="c:\program files\Rational\ClearCase\bin\ccdoctor.exe" [2007-05-16 126976] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608] "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2008-02-22 c:\windows\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2008-02-22 c:\windows\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2008-02-22 c:\windows\system32\nvmctray.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\t654987\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-12-11 295606] Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-27 123904] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableNT4Policy"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoStartMenuMyMusic"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) "ForceStartMenuLogOff"= 1 (0x1) "NoNetworkConnections"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ccnotify] 2007-03-30 16:09 15412 c:\windows\system32\ccnotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2006-09-08 13:29 24686 c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ \0 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=\\corp.ads\netlogon\Secure Scripts\LocalAdmin.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0] "Script"=SMS2003.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0] "Script"=CopySelfHelp.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0] "Script"=MarimbaCheck.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\0] "Script"=SetDefaults.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\1] "Script"=WirelessDNS.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\0\0] "Script"=UserInit.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\1\0] "Script"=User_IM_RunOnce.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\2\0] "Script"=ResetUserDS.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\3\0] "Script"=LogonScript.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\3\1] "Script"=TELUS_Logos.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1119643175-775699462-1943422765-542995\Scripts\Logon\4\0] "Script"=EmergisCommunicator.bat [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Executive Software\\Diskeeper\\dkservice.exe"= "c:\\Program Files\\Marimba\\tuner\\lib\\jre\\bin\\java.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\SAPgui.exe"= "c:\\WINDOWS\\system32\\dmremote.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpSvc.exe"= "c:\\WINDOWS\\system32\\mnmsrvc.exe"= "c:\\WINDOWS\\system32\\rsh.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\System32\\wbem\\unsecapp.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "445:TCP"= 445:TCP:File/Print Sharing "137:UDP"= 137:UDP:File/Print Sharing "138:UDP"= 138:UDP:File/Print Sharing "135:tcp"= 135:tcp:Remote Assistance "139:udp"= 139:udp:File/Print Sharing "21:tcp"= 21:tcp:FTP "2701:tcp"= 2701:tcp:SMS Remote contact, reboot, and ping "2702:tcp"= 2702:tcp:SMS Remote Control "2703:tcp"= 2703:tcp:SMS Chat "2704:tcp"= 2704:tcp:SMS File Transfer "3389:"= 3389:Remote Desktop "6129:tcp"= 6129:tcp:DameWare Remote Control [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-02-15 26624] R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2006-09-08 2234320] R1 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.SYS [2006-11-16 18432] R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-02-07 2944] R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-09-19 24521] R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2008-12-11 330544] R4 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2006-09-08 36464] R4 MarimbaTunerwin;MarimbaTuner_win;c:\program files\marimba\tuner\Tuner.exe [2007-08-01 36953] R4 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2006-09-08 109232] R4 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2006-09-08 671472] S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [2008-02-19 71168] S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-11-20 87936] S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-09-19 155216] S3 OracleOracleHome92ClientCache;OracleOracleHome92ClientCache;c:\oracle\ora92\bin\ONRSD.EXE [2002-04-26 242328] S3 pmxps2m;PMXPS2M;c:\windows\system32\drivers\pmxps2m.sys [2006-11-16 16384] S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2006-12-04 14336] S4 Albd;Atria Location Broker;c:\program files\Rational\ClearCase\bin\albd_server.exe [2007-03-30 176186] --- Other Services/Drivers In Memory --- Deregistered* - uphcleanhlp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5544d78b-3018-11dd-8cca-806d6172696f}] \Shell\AutoRun\command - NOTEPAD.EXE ReadMe.txt [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c49edc36-c898-11dd-acd0-444553544200}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\CurrentUserProfilePrep] c:\support\CUPrep.cmd . - - - - ORPHANS REMOVED - - - - BHO-{87c675d4-abe2-4f90-bb49-295f8f49c5dd} - (no file) HKLM-Run-PMX Daemon - ICO.EXE . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ uInternet Connection Wizard,ShellNext = hxxp://emergisweb/ IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: intranet.telusquebec.com Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll c:\windows\system32\capicom.dll - c:\windows\Downloaded Program Files\Spider91.ocx O16 -: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} hxxps://www.emergistestdirector.com/qcbin/Spider91.cab c:\windows\Downloaded Program Files\Spider91.inf FF - ProfilePath - c:\documents and settings\t850260\Application Data\Mozilla\Firefox\Profiles\ysuot3ao.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-10 08:03:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1816) c:\windows\system32\Ati2evxx.dll c:\windows\system32\ccnotify.dll c:\windows\system32\ccasenp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe c:\windows\system32\scardsvr.exe c:\program files\Executive Software\Diskeeper\DkService.exe c:\windows\system32\DWRCS.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Rational\ClearCase\bin\lockmgr.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\McAfee\VirusScan Enterprise\mcshield.exe c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\McAfee\Common Framework\naPrdMgr.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\locator.exe c:\windows\system32\stacsv.exe c:\windows\system32\DWRCST.EXE c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\windows\system32\wdfmgr.exe c:\program files\UPHClean\uphclean.exe c:\windows\system32\searchindexer.exe c:\windows\system32\cccredmgr.exe c:\windows\system32\CCM\CcmExec.exe c:\windows\system32\msiexec.exe c:\program files\McAfee\Common Framework\Mctray.exe c:\program files\Apoint\ApMsgFwd.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\marimba\tuner\.marimba\MarimbaTuner_win\ch.3\data\sum.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\marimba\tuner\lib\minituner.exe . ************************************************************************ . Completion time: 2009-01-10 830 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-10 1326 Pre-Run: 92,718,993,408 bytes free Post-Run: 92,958,793,728 bytes free 398