Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Browser Redirects and Rogue Anti Virus Pop-ups

Started by jolces , May 01 2011 10:43 AM

  • This topic is locked This topic is locked

#1
jolces
Posted 01 May 2011 - 10:43 AM

jolces

    Member

  • Member
  • PipPip
  • 53 posts
Hi All:

Below is the OTL log. I am having a browser redirect issue- every time I click on a link for a search engine or from a site, I get redirected to unintentional sites by force. It happens both in IE and Firefox. When also using a browser, I also get pop-ups running a rogue anti-virus that can not be closed and locks up the browser. Please advise, thanks!

OTL logfile created on: 2011/05/01 12:39:03 PM - Run 4
OTL by OldTimer - Version 3.2.20.6 Folder = d:\data\rainmaker\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy/MM/dd

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 60.45 Gb Total Space | 33.52 Gb Free Space | 55.45% Space Free | Partition Type: NTFS
Drive D: | 32.70 Gb Total Space | 8.55 Gb Free Space | 26.16% Space Free | Partition Type: NTFS

Computer Name: BR3F8433 | User Name: rainmaker | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/01 12:30:45 | 000,168,448 | ---- | M] () -- d:\data\rainmaker\Application Data\Microsoft\conhost.exe
PRC - [2011/04/30 13:03:51 | 000,180,224 | ---- | M] () -- d:\data\rainmaker\Application Data\dwm.exe
PRC - [2011/04/30 12:58:26 | 000,176,128 | ---- | M] () -- D:\data\rainmaker\Local Settings\Temp\csrss.exe
PRC - [2011/02/20 00:00:55 | 000,602,624 | ---- | M] (OldTimer Tools) -- d:\data\rainmaker\My Documents\Downloads\OTL.exe
PRC - [2010/12/16 21:17:02 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/12/16 21:16:56 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/28 14:03:29 | 000,397,176 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\BitTorrent.exe
PRC - [2010/06/01 10:17:48 | 005,252,408 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/08/13 21:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2007/08/13 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2007/07/25 17:16:42 | 000,073,728 | ---- | M] (DameWare Development) -- C:\WINNT\system32\DWRCST.EXE
PRC - [2007/07/25 17:16:30 | 000,222,720 | ---- | M] (DameWare Development LLC) -- C:\WINNT\system32\DWRCS.EXE
PRC - [2007/05/31 19:02:06 | 000,036,400 | ---- | M] (Lenovo) -- C:\WINNT\system32\ibmpmsvc.exe
PRC - [2007/03/02 18:49:00 | 000,037,680 | ---- | M] (Lenovo.) -- C:\WINNT\system32\TPHDEXLG.exe
PRC - [2006/11/29 18:47:28 | 000,126,976 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
PRC - [2006/11/29 18:47:28 | 000,086,016 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
PRC - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\CCM\CcmExec.exe
PRC - [2005/10/06 23:18:26 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2005/09/06 17:51:08 | 000,053,248 | ---- | M] (Alexandria Software Consulting) -- c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
PRC - [2005/09/06 17:50:50 | 000,045,056 | ---- | M] (Nortel Networks) -- C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
PRC - [2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/02/20 00:00:55 | 000,602,624 | ---- | M] (OldTimer Tools) -- d:\data\rainmaker\My Documents\Downloads\OTL.exe
MOD - [2006/08/25 09:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (PsaSrv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/11/17 15:33:43 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/30 16:06:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/08/13 21:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2007/08/13 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2007/07/25 17:16:30 | 000,222,720 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\WINNT\System32\DWRCS.EXE -- (DWMRCS)
SRV - [2007/05/31 19:02:06 | 000,036,400 | ---- | M] (Lenovo) [Auto | Running] -- C:\WINNT\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2007/03/02 18:49:00 | 000,037,680 | ---- | M] (Lenovo.) [Auto | Running] -- C:\WINNT\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2006/11/30 19:09:32 | 001,310,720 | ---- | M] (iPass, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2006/11/29 18:47:28 | 000,126,976 | ---- | M] (iPass, Inc.) [On_Demand | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe -- (iPassPeriodicUpdateApp)
SRV - [2006/11/29 18:47:28 | 000,086,016 | ---- | M] (iPass, Inc.) [Auto | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe -- (iPassPeriodicUpdateService)
SRV - [2006/07/25 15:23:30 | 002,635,480 | ---- | M] (Sygate Technologies, Inc.) [Disabled | Stopped] -- c:\Program Files\Sygate\SSA\Smc.exe -- (SmcService)
SRV - [2006/07/25 15:14:52 | 000,323,658 | ---- | M] (Sygate Technologies, Inc.) [On_Demand | Stopped] -- c:\Program Files\Sygate\SSA\Maga\Maga.exe -- (magaService)
SRV - [2006/05/09 18:37:50 | 000,835,584 | ---- | M] (Nortel Networks NA, Inc.) [On_Demand | Stopped] -- C:\Program Files\Nexxia\Extranet_serv.exe -- (ExtranetAccess)
SRV - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2005/10/06 23:18:26 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2005/09/06 17:51:08 | 000,053,248 | ---- | M] (Alexandria Software Consulting) [Auto | Running] -- c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe -- (tunnelguardservice)


========== Driver Services (SafeList) ==========

DRV - [2008/11/17 15:04:01 | 000,021,419 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\iPassP.sys -- (iPassP) iPass Protocol (IEEE 802.1x)
DRV - [2008/11/17 15:04:01 | 000,021,419 | ---- | M] (Meetinghouse Data Communications) [File_System | Disabled | Stopped] -- C:\WINNT\system32\drivers\iPassP.sys -- (Fa0irdasards)
DRV - [2007/12/19 15:27:48 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\psadd.sys -- (psadd)
DRV - [2007/09/07 21:50:00 | 000,064,168 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2007/08/13 21:50:00 | 000,171,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2007/08/13 21:50:00 | 000,072,712 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2007/08/13 21:50:00 | 000,052,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2007/08/13 21:50:00 | 000,034,184 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2007/08/13 21:50:00 | 000,032,008 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2007/08/09 16:33:14 | 000,013,360 | ---- | M] (Lenovo Group Limited) [Kernel | On_Demand | Stopped] -- C:\DRIVERS\T60\BIOS\tpflhlp.sys -- (tpflhlp)
DRV - [2007/06/21 03:43:26 | 002,208,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/06/18 01:16:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2007/05/31 19:01:30 | 000,021,424 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/03/20 09:01:08 | 000,099,328 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [2007/03/02 18:49:00 | 000,100,656 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINNT\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2007/03/02 18:47:00 | 000,019,760 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINNT\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/01/12 15:05:58 | 000,246,680 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/01/10 02:56:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2006/10/02 01:55:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINNT\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2006/10/02 01:55:00 | 000,009,343 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2006/07/25 15:24:26 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg6n.sys -- (wg6n)
DRV - [2006/07/25 15:24:24 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg5n.sys -- (wg5n)
DRV - [2006/07/25 15:24:20 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg4n.sys -- (wg4n)
DRV - [2006/07/25 15:24:16 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg3n.sys -- (wg3n)
DRV - [2006/07/25 14:59:48 | 000,021,075 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2006/07/25 14:57:10 | 000,061,008 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINNT\SYSTEM32\Drivers\Teefer.sys -- (Teefer)
DRV - [2006/05/09 18:47:10 | 000,024,521 | ---- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\eacfilt.sys -- (Eacfilt)
DRV - [2006/05/09 18:46:42 | 000,155,216 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ipsecw2k.sys -- (IPSECSHM)
DRV - [2006/05/09 18:46:42 | 000,155,216 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ipsecw2k.sys -- (IPSECEXT)
DRV - [2006/02/14 14:04:58 | 000,177,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/02/09 03:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2006/02/01 15:09:40 | 000,017,699 | ---- | M] (IBM Corporation) [Kernel | System | Running] -- C:\WINNT\system32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2005/12/15 14:19:20 | 000,173,056 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2005/12/06 11:21:32 | 000,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hsx_dpv.sys -- (HSF_DPV)
DRV - [2005/12/06 11:20:48 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hsxhwazl.sys -- (HSXHWAZL)
DRV - [2005/12/06 11:20:42 | 000,670,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hsx_cnxt.sys -- (winachsf)
DRV - [2005/05/17 09:20:06 | 000,015,872 | ---- | M] (Atmel, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\atmeltpm.sys -- (atmeltpm)
DRV - [2005/04/27 11:27:34 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2005/04/27 10:16:46 | 000,005,427 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINNT\system32\egathdrv.sys -- (EGATHDRV)
DRV - [2005/04/27 10:15:50 | 000,006,912 | ---- | M] (IBM Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\ANCSQ.sys -- (ANCSQ)
DRV - [2005/01/07 16:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 00:00:52 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2002/11/26 15:54:58 | 000,016,936 | ---- | M] (Smith Micro Software, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -- (SMNDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cmweb.rbccm.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cmweb.rbccm.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cmweb.rbccm.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:53273

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53273
FF - prefs.js..network.proxy.type: 1


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/20 15:01:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/01 15:57:44 | 000,000,000 | ---D | M]

[2010/10/21 07:26:44 | 000,000,000 | ---D | M] (No name found) -- d:\data\rainmaker\Application Data\Mozilla\Extensions
[2011/02/22 11:08:57 | 000,000,000 | ---D | M] (No name found) -- d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0oy9apyi.default\extensions
[2011/04/30 12:49:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/01 15:57:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/04/01 15:57:24 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/01 15:57:22 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2002/08/29 08:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [conhost] d:\data\rainmaker\Application Data\Microsoft\conhost.exe ()
O4 - HKCU..\Run: [BitTorrent] C:\Program Files\BitTorrent\BitTorrent.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [jstowfgq] d:\data\rainmaker\Local Settings\Temp\wggxobvfa\qxpwnhvjfdi.exe ()
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\TunnelGuard Tray Monitor.lnk = C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE (Nortel Networks)
F3 - HKCU WinNT: Load - (d:\data\RAINMA~1\LOCALS~1\Temp\csrss.exe) - d:\data\rainmaker\Local Settings\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonType = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Intellimenus = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 1
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O15 - HKLM\..Trusted Domains: catokvs101 ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([*.oak.fg] * in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([mis.fg] https in Trusted sites)
O15 - HKLM\..Trusted Domains: rbc.com ([pmtprojectserver.fg] http in Trusted sites)
O15 - HKLM\..Trusted Domains: rbccm.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: rbccm.com ([crm] * in Local intranet)
O15 - HKLM\..Trusted Domains: royalbank.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: rbc.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: royalbank.com ([]* in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_13)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oak.fg.rbc.com
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (d:\data\rainmaker\Application Data\dwm.exe) - d:\data\rainmaker\Application Data\dwm.exe ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINNT\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINNT\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINNT\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\WINNT\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINNT\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/06 21:43:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/01 15:57:59 | 000,000,000 | ---D | C] -- d:\data\All Users\Application Data\Sun

========== Files - Modified Within 30 Days ==========

[2011/05/01 12:36:41 | 000,005,761 | ---- | M] () -- d:\data\rainmaker\Application Data\0E3A.6C1
[2011/05/01 12:31:22 | 000,000,392 | ---- | M] () -- C:\WINNT\smscfg.ini
[2011/05/01 12:30:31 | 000,002,193 | ---- | M] () -- d:\data\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2011/05/01 12:29:53 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2011/05/01 12:29:49 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2011/04/30 13:03:51 | 000,180,224 | ---- | M] () -- d:\data\rainmaker\Application Data\dwm.exe
[2011/04/30 12:55:05 | 000,003,852 | -HS- | M] () -- d:\data\All Users\Application Data\34352o2be027ho55i2d7a7vvq87lyn
[2011/04/30 12:39:28 | 000,001,324 | ---- | M] () -- C:\WINNT\System32\d3d9caps.dat
[2011/04/11 10:26:01 | 000,002,419 | ---- | M] () -- d:\data\All Users\Desktop\Citrix Program Neighborhood.lnk2
[2011/04/11 10:25:46 | 000,000,370 | ---- | M] () -- C:\WINNT\ODBC.INI
[2011/04/11 10:22:07 | 000,004,592 | -HS- | M] () -- d:\data\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq

========== Files Created - No Company Name ==========

[2011/04/30 13:03:51 | 000,180,224 | ---- | C] () -- d:\data\rainmaker\Application Data\dwm.exe
[2011/04/30 12:57:43 | 000,005,761 | ---- | C] () -- d:\data\rainmaker\Application Data\0E3A.6C1
[2011/04/30 12:54:23 | 000,003,852 | -HS- | C] () -- d:\data\All Users\Application Data\34352o2be027ho55i2d7a7vvq87lyn
[2011/04/11 10:18:40 | 000,004,592 | -HS- | C] () -- d:\data\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
[2011/03/27 14:28:06 | 000,011,016 | -HS- | C] () -- d:\data\All Users\Application Data\72xy4j5pr746copb247k3woh
[2010/10/21 09:24:26 | 000,002,847 | ---- | C] () -- C:\WINNT\System32\DWRCS.INI
[2010/10/21 08:04:22 | 000,011,264 | ---- | C] () -- d:\data\rainmaker\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/18 16:00:01 | 000,000,118 | ---- | C] () -- d:\data\rainmaker\Local Settings\Application Data\fusioncache.dat
[2008/11/17 15:29:37 | 000,000,786 | ---- | C] () -- C:\WINNT\EPFax.INI
[2008/11/17 15:29:37 | 000,000,049 | ---- | C] () -- C:\WINNT\mailroom.ini
[2008/11/17 15:29:35 | 000,000,186 | ---- | C] () -- C:\WINNT\pagesuit.ini
[2008/11/17 15:29:34 | 000,023,040 | ---- | C] () -- C:\WINNT\System32\irisco32.dll
[2008/11/17 15:29:28 | 000,086,016 | ---- | C] () -- C:\WINNT\System32\Mrsplnt.dll
[2008/11/17 15:29:25 | 000,086,016 | ---- | C] () -- C:\WINNT\System32\Mrinst.dll
[2008/11/17 15:29:25 | 000,009,142 | ---- | C] () -- C:\WINNT\MR2000.ini
[2008/11/17 15:29:22 | 000,252,768 | ---- | C] () -- C:\WINNT\System32\capicom.dll
[2008/11/17 13:46:05 | 000,007,168 | ---- | C] () -- C:\WINNT\System32\drivers\TSMAPIP.SYS
[2008/11/17 13:44:42 | 000,009,343 | ---- | C] () -- C:\WINNT\System32\drivers\TDSMAPI.SYS
[2008/11/17 13:42:51 | 000,077,824 | ---- | C] () -- C:\WINNT\System32\SynTPCoI.dll
[2008/11/17 13:42:20 | 000,004,442 | ---- | C] () -- C:\WINNT\System32\drivers\TPPWRIF.SYS
[2008/11/17 13:35:21 | 000,028,672 | ---- | C] () -- C:\WINNT\System32\notifyf2.dll
[2008/11/17 13:35:21 | 000,024,576 | ---- | C] () -- C:\WINNT\System32\tphklock.dll
[2007/12/19 16:22:04 | 000,000,392 | ---- | C] () -- C:\WINNT\smscfg.ini
[2007/12/19 15:43:37 | 000,000,280 | ---- | C] () -- C:\WINNT\System32\epoPGPsdk.dll.sig
[2007/12/19 15:33:22 | 000,000,370 | ---- | C] () -- C:\WINNT\ODBC.INI
[2007/11/06 21:30:40 | 000,009,728 | ---- | C] () -- C:\WINNT\L6DLOG.DLL
[2007/11/06 21:30:40 | 000,008,192 | ---- | C] () -- C:\WINNT\L6DWAPI.DLL
[2007/11/06 21:30:40 | 000,007,680 | ---- | C] () -- C:\WINNT\L6DNCB.DLL
[2007/11/06 21:29:10 | 000,027,440 | ---- | C] () -- C:\WINNT\System32\drivers\secdrv.sys
[2007/11/06 21:27:55 | 000,081,920 | ---- | C] () -- C:\WINNT\System32\ieencode.dll
[2007/11/06 16:36:26 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2006/07/25 15:22:12 | 000,235,152 | ---- | C] () -- C:\WINNT\System32\SetAid.dll
[2005/04/27 10:53:10 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\pwdmon.dll
[2005/04/27 10:53:10 | 000,019,853 | ---- | C] () -- C:\WINNT\ibmprc.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINNT\System32\OUTLPERF.INI

========== LOP Check ==========

[2008/11/17 15:04:06 | 000,000,000 | ---D | M] -- d:\data\All Users\Application Data\iPass
[2010/11/08 08:54:36 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\111 Pix Ltd
[2011/05/01 12:40:36 | 000,000,000 | ---D | M] -- d:\data\rainmaker\Application Data\BitTorrent
[2011/02/22 10:34:47 | 000,000,316 | ---- | M] () -- C:\WINNT\Tasks\PMTask.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
Essexboy
Posted 01 May 2011 - 10:57 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets see if we can get you back on the road

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - [2011/05/01 12:30:45 | 000,168,448 | ---- | M] () -- d:\data\rainmaker\Application Data\Microsoft\conhost.exe
    PRC - [2011/04/30 13:03:51 | 000,180,224 | ---- | M] () -- d:\data\rainmaker\Application Data\dwm.exe
    PRC - [2011/04/30 12:58:26 | 000,176,128 | ---- | M] () -- D:\data\rainmaker\Local Settings\Temp\csrss.exe
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:53273
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 53273
    FF - prefs.js..network.proxy.type: 1
    O4 - HKLM..\Run: [conhost] d:\data\rainmaker\Application Data\Microsoft\conhost.exe ()
    O4 - HKCU..\Run: [jstowfgq] d:\data\rainmaker\Local Settings\Temp\wggxobvfa\qxpwnhvjfdi.exe ()
    F3 - HKCU WinNT: Load - (d:\data\RAINMA~1\LOCALS~1\Temp\csrss.exe) - d:\data\rainmaker\Local Settings\Temp\csrss.exe ()
    O20 - HKCU Winlogon: Shell - (d:\data\rainmaker\Application Data\dwm.exe) - d:\data\rainmaker\Application Data\dwm.exe ()
    [2011/04/30 13:03:51 | 000,180,224 | ---- | M] () -- d:\data\rainmaker\Application Data\dwm.exe
    [2011/04/30 12:55:05 | 000,003,852 | -HS- | M] () -- d:\data\All Users\Application Data\34352o2be027ho55i2d7a7vvq87lyn
    [2011/04/11 10:22:07 | 000,004,592 | -HS- | M] () -- d:\data\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
    [2011/03/27 14:28:06 | 000,011,016 | -HS- | C] () -- d:\data\All Users\Application Data\72xy4j5pr746copb247k3woh

    :Files
    ipconfig /flushdns /c
    d:\data\All Users\Application Data\34352o2be027ho55i2d7a7vvq87lyn
    d:\data\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
    d:\data\All Users\Application Data\72xy4j5pr746copb247k3woh
    D:\data\rainmaker\Local Settings\Temp\csrss.exe

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#3
jolces
Posted 01 May 2011 - 11:38 AM

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Thanks for the quick reply. I tried to copy/paste the OTL script below and click on Run Fix. I tried it 3 times and each time, the script starts to run, I can see the bottom tool bar close and then it kicks off the blue physical memory dump screen. I rebooted each time, completely rebooting and restarting and then trying again, but got the same result

Message says

*** Stop: 0x000000f4 (0x00000003, 0x87624020, 0x876241194, 0x805d13b6)
  • 0

#4
Essexboy
Posted 01 May 2011 - 11:46 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem we have the ways and means to sort that :)

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Then re-run the OTL fix
  • 0

#5
jolces
Posted 01 May 2011 - 05:03 PM

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
OK, I was able to run the rougekiller, below is the log. Once again, I got the same blue screen when trying the OTL fix again.

RogueKiller V5.0.0 [04/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: rainmaker [Admin rights]
Mode: Scan -- Date : 05/01/2011 18:54:35

Bad processes: 3
[APPDT/TMP/DESKTOP] dwm.exe -- d:\data\rainmaker\application data\dwm.exe -> KILLED
[APPDT/TMP/DESKTOP] conhost.exe -- d:\data\rainmaker\application data\microsoft\conhost.exe -> KILLED
[APPDT/TMP/DESKTOP] csrss.exe -- d:\data\rainma~1\locals~1\temp\csrss.exe -> KILLED

Registry Entries: 20
[APPDT/TMP/DESKTOP] HKCU\[...]\Run : jstowfgq (d:\data\RAINMA~1\LOCALS~1\Temp\wggxobvfa\qxpwnhvjfdi.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKLM\[...]\Run : conhost (d:\data\rainmaker\Application Data\Microsoft\conhost.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKUS\S-1-5-21-3970871231-569803043-2501163284-1009[...]\Run : jstowfgq (d:\data\RAINMA~1\LOCALS~1\Temp\wggxobvfa\qxpwnhvjfdi.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKCU\[...]\Winlogon : Shell (explorer.exe,d:\data\rainmaker\Application Data\dwm.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKCU\[...]\Windows : load (d:\data\RAINMA~1\LOCALS~1\Temp\csrss.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKUS\S-1-5-21-3970871231-569803043-2501163284-1009[...]\Winlogon : Shell (explorer.exe,d:\data\rainmaker\Application Data\dwm.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKUS\S-1-5-21-3970871231-569803043-2501163284-1009[...]\Windows : load (d:\data\RAINMA~1\LOCALS~1\Temp\csrss.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:53273) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{61F7FDB4-9189-4629-B0F0-8F4F903002EF} : NameServer (93.188.164.50,93.188.160.230) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{D6CD12DF-4487-42F7-85D8-30051DCA4624} : NameServer (93.188.164.50,93.188.160.230) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{D9B57E24-83B8-45DF-96EA-B58497BF8616} : NameServer (93.188.164.50,93.188.160.230) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{61F7FDB4-9189-4629-B0F0-8F4F903002EF} : NameServer (93.188.164.50,93.188.160.230) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{D6CD12DF-4487-42F7-85D8-30051DCA4624} : NameServer (93.188.164.50,93.188.160.230) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{D9B57E24-83B8-45DF-96EA-B58497BF8616} : NameServer (93.188.164.50,93.188.160.230) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command : ("d:\data\tp\Local Settings\Application Data\ark.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("d:\data\tp\Local Settings\Application Data\ark.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("d:\data\tp\Local Settings\Application Data\ark.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
  • 0

#6
Essexboy
Posted 02 May 2011 - 03:44 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you re-run Rogue killer and select option 4
Once that is complete re-run and select option 5
Retry OTL

Also could you run and then Post the ASWMbr log
  • 0

#7
jolces
Posted 02 May 2011 - 06:01 PM

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
Ok, I was able to run option 4 and 5 on Rouge Killer. But trying the OTL fix once again brought up the blue screen. Here are the Rouge Killer logs:

Option 4:
RogueKiller V5.0.0 [04/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: rainmaker [Admin rights]
Mode: ProxyFix -- Date : 05/02/2011 19:55:03

Bad processes: 3
[APPDT/TMP/DESKTOP] dwm.exe -- d:\data\rainmaker\application data\dwm.exe -> KILLED
[APPDT/TMP/DESKTOP] conhost.exe -- d:\data\rainmaker\application data\microsoft\conhost.exe -> KILLED
[APPDT/TMP/DESKTOP] qxpwnhvjfdi.exe -- d:\data\rainma~1\locals~1\temp\wggxobvfa\qxpwnhvjfdi.exe -> KILLED

Registry Entries: 3
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> REPLACED (0)
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:53273) -> DELETED
[PROXY FF] 0oy9apyi.default\ 127.0.0.1:53273 -> DELETED

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


Option 5:
RogueKiller V5.0.0 [04/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: rainmaker [Admin rights]
Mode: DNSFix -- Date : 05/02/2011 19:56:25

Bad processes: 0

Registry Entries: 6
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{61F7FDB4-9189-4629-B0F0-8F4F903002EF} : NameServer (93.188.164.50,93.188.160.230) -> REPLACED : ()
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{D6CD12DF-4487-42F7-85D8-30051DCA4624} : NameServer (93.188.164.50,93.188.160.230) -> REPLACED : ()
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{D9B57E24-83B8-45DF-96EA-B58497BF8616} : NameServer (93.188.164.50,93.188.160.230) -> REPLACED : ()
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{61F7FDB4-9189-4629-B0F0-8F4F903002EF} : NameServer (93.188.164.50,93.188.160.230) -> REPLACED : ()
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{D6CD12DF-4487-42F7-85D8-30051DCA4624} : NameServer (93.188.164.50,93.188.160.230) -> REPLACED : ()
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{D9B57E24-83B8-45DF-96EA-B58497BF8616} : NameServer (93.188.164.50,93.188.160.230) -> REPLACED : ()

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  • 0

#8
Essexboy
Posted 03 May 2011 - 10:38 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK time for the big guns then :)

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#9
jolces
Posted 03 May 2011 - 05:47 PM

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
OK, here is the ComboFix log:

ComboFix 11-05-03.02 - rainmaker 2011/05/03 19:40:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1002 [GMT -4:00]
Running from: d:\data\rainmaker\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Sygate Security Agent *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\data\admin\Application Data\dwm.exe
d:\data\admin\Application Data\Microsoft\conhost.exe
d:\data\admin\Local Settings\Application Data\fxd.exe
d:\data\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\data\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\data\John\Application Data\dwm.exe
d:\data\John\Application Data\Microsoft\conhost.exe
d:\data\John\Local Settings\Application Data\cas.exe
d:\data\jolcese\.vftv1223328197584
d:\data\jolcese\.vftv1223328200022
d:\data\jolcese\.vftv1223328210052
d:\data\jolcese\My Documents\Readiris.DUS
d:\data\rainmaker\Application Data\dwm.exe
d:\data\rainmaker\Application Data\Microsoft\conhost.exe
d:\data\tp\Local Settings\Application Data\ark.exe
D:\install.exe
.
----- BITS: Possible infected sites -----
.
hxxp://download.yimg.com
hxxp://10.69.34.171:80
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-01 19:15 . 2011-05-01 19:15 -------- d-s---w- d:\data\rainmaker\UserData
2011-04-11 14:25 . 2011-04-11 14:25 -------- d-----w- d:\data\John
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 19:57 . 2011-04-01 19:57 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2011-04-01 19:57 . 2011-04-01 19:57 472808 ----a-w- c:\winnt\system32\deployJava1.dll
2011-02-22 15:27 . 2007-11-07 01:29 8832 ----a-w- c:\winnt\system32\drivers\rasacd.sys
2011-02-20 18:56 . 2011-02-20 18:56 175 ----a-w- d:\data\tp\PKI_INST.BAT
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2011-05-01 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
d:\data\jolcese\Start Menu\Programs\Startup\
AOM.lnk - c:\program files\Common Files\Adobe\Web\AOM.exe [N/A]
.
d:\data\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\winnt\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-11-17 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-17 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
TunnelGuard Tray Monitor.lnk - c:\program files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE [2005-9-6 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-02-01 19:09 28672 ------w- c:\winnt\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-01 19:09 24576 ------w- c:\winnt\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1364589140-839522115-2401\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
.
R0 ANCSQ;ANCSQ;c:\winnt\system32\drivers\ANCSQ.sys [2005/04/27 10:15 AM 6912]
R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [2007/03/02 6:47 PM 19760]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2008/11/17 3:06 PM 24521]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nexxia\Extranet_serv.exe [2008/11/17 3:06 PM 835584]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2008/11/17 3:06 PM 155216]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\Maga\Maga.exe [2006/07/25 3:14 PM 323658]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010/01/15 8:49 AM 227232]
S3 tpflhlp;tpflhlp;c:\drivers\T60\BIOS\tpflhlp.sys [2007/08/09 4:33 PM 13360]
S4 Fa0irdasards;Fa0irdasards;c:\winnt\system32\drivers\iPassP.sys [2008/11/17 3:04 PM 21419]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{00120000-6000-11D3-8CFE-0050048383C9}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{94F321B9-45B0-4125-970D-DE3D98CBCA1C}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC76BA86-0000-0000-7760-7E8A45000000}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-22 c:\winnt\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-11-17 05:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cmweb.rbccm.com/
mStart Page = hxxp://cmweb.rbccm.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:53273
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: rbc.com\mis.fg
Trusted Zone: rbc.com\pmtprojectserver.fg
Trusted Zone: rbccm.com
FF - ProfilePath - d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0oy9apyi.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53273
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-conhost - d:\data\rainmaker\Application Data\Microsoft\conhost.exe
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-03 19:45
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1696)
c:\winnt\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(2256)
c:\winnt\system32\msi.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ibmpmsvc.exe
c:\winnt\SYSTEM32\DWRCS.EXE
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\winnt\System32\TPHDEXLG.exe
c:\program files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\winnt\system32\CCM\CcmExec.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\winnt\SYSTEM32\DWRCST.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-05-03 19:47:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-03 23:47
.
Pre-Run: 35,956,121,600 bytes free
Post-Run: 35,785,433,088 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
- - End Of File - - A3BF4D29B813EFC33281E2D41FC88B64
  • 0

#10
Essexboy
Posted 04 May 2011 - 11:05 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you let me know what your current problems are please

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:53273



3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new OTListit log.

  • 0

Advertisements

#11
jolces
Posted 04 May 2011 - 06:11 PM

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
The issue I am having is that I keep getting redirected within my broswer to rogue pages that I have not selected. Here are the logs. Thanks

ComboFix 11-05-03.02 - rainmaker 2011/05/04 20:05:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1120 [GMT -4:00]
Running from: d:\data\rainmaker\Desktop\ComboFix.exe
Command switches used :: d:\data\rainmaker\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Sygate Security Agent *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-04 00:52 . 2011-05-04 00:52 -------- d-----w- d:\data\default
2011-05-01 19:15 . 2011-05-01 19:15 -------- d-s---w- d:\data\rainmaker\UserData
2011-04-11 14:25 . 2011-04-11 14:25 -------- d-----w- d:\data\John
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 19:57 . 2011-04-01 19:57 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2011-04-01 19:57 . 2011-04-01 19:57 472808 ----a-w- c:\winnt\system32\deployJava1.dll
2011-02-22 15:27 . 2007-11-07 01:29 8832 ----a-w- c:\winnt\system32\drivers\rasacd.sys
2011-02-20 18:56 . 2011-02-20 18:56 175 ----a-w- d:\data\tp\PKI_INST.BAT
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-03_23.45.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-04 23:56 . 2011-05-04 23:56 16384 c:\winnt\Temp\Perflib_Perfdata_678.dat
+ 2007-11-07 01:28 . 2011-05-03 23:48 66506 c:\winnt\system32\perfc009.dat
- 2007-11-07 01:28 . 2011-03-29 21:07 66506 c:\winnt\system32\perfc009.dat
+ 2007-11-07 01:28 . 2011-05-03 23:48 410954 c:\winnt\system32\perfh009.dat
- 2007-11-07 01:28 . 2011-03-29 21:07 410954 c:\winnt\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2011-05-01 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
d:\data\jolcese\Start Menu\Programs\Startup\
AOM.lnk - c:\program files\Common Files\Adobe\Web\AOM.exe [N/A]
.
d:\data\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\winnt\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-11-17 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-17 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
TunnelGuard Tray Monitor.lnk - c:\program files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE [2005-9-6 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-02-01 19:09 28672 ------w- c:\winnt\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-01 19:09 24576 ------w- c:\winnt\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1364589140-839522115-2401\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
.
R0 ANCSQ;ANCSQ;c:\winnt\system32\drivers\ANCSQ.sys [2005/04/27 10:15 AM 6912]
R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [2007/03/02 6:47 PM 19760]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2008/11/17 3:06 PM 24521]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nexxia\Extranet_serv.exe [2008/11/17 3:06 PM 835584]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2008/11/17 3:06 PM 155216]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\Maga\Maga.exe [2006/07/25 3:14 PM 323658]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010/01/15 8:49 AM 227232]
S3 Splarphvaacw;Splarphvaacw; [x]
S3 tpflhlp;tpflhlp;c:\drivers\T60\BIOS\tpflhlp.sys [2007/08/09 4:33 PM 13360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{00120000-6000-11D3-8CFE-0050048383C9}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{94F321B9-45B0-4125-970D-DE3D98CBCA1C}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC76BA86-0000-0000-7760-7E8A45000000}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-22 c:\winnt\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-11-17 05:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cmweb.rbccm.com/
mStart Page = hxxp://cmweb.rbccm.com/
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: rbc.com\mis.fg
Trusted Zone: rbc.com\pmtprojectserver.fg
Trusted Zone: rbccm.com
FF - ProfilePath - d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0oy9apyi.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53273
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 20:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1696)
c:\winnt\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(3592)
c:\winnt\system32\msi.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-04 20:10:03
ComboFix-quarantined-files.txt 2011-05-05 00:10
ComboFix2.txt 2011-05-03 23:47
.
Pre-Run: 35,836,882,944 bytes free
Post-Run: 35,818,135,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B252DCE412101FDFA1DA3C16B1912EE1




OTL logfile created on: 2011/05/04 8:10:43 PM - Run 5
OTL by OldTimer - Version 3.2.20.6 Folder = d:\data\rainmaker\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy/MM/dd

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 60.45 Gb Total Space | 33.39 Gb Free Space | 55.24% Space Free | Partition Type: NTFS
Drive D: | 32.70 Gb Total Space | 8.96 Gb Free Space | 27.41% Space Free | Partition Type: NTFS

Computer Name: BR3F8433 | User Name: rainmaker | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/01 13:35:11 | 000,400,760 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\BitTorrent.exe
PRC - [2011/02/20 00:00:55 | 000,602,624 | ---- | M] (OldTimer Tools) -- d:\data\rainmaker\Desktop\OTL.exe
PRC - [2010/12/16 21:16:56 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/07/25 17:16:42 | 000,073,728 | ---- | M] (DameWare Development) -- C:\WINNT\system32\DWRCST.EXE
PRC - [2007/07/25 17:16:30 | 000,222,720 | ---- | M] (DameWare Development LLC) -- C:\WINNT\system32\DWRCS.EXE
PRC - [2007/05/31 19:02:06 | 000,036,400 | ---- | M] (Lenovo) -- C:\WINNT\system32\ibmpmsvc.exe
PRC - [2007/03/02 18:49:00 | 000,037,680 | ---- | M] (Lenovo.) -- C:\WINNT\system32\TPHDEXLG.exe
PRC - [2006/11/29 18:47:28 | 000,126,976 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
PRC - [2006/11/29 18:47:28 | 000,086,016 | ---- | M] (iPass, Inc.) -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
PRC - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\CCM\CcmExec.exe
PRC - [2005/10/06 23:18:26 | 000,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2005/09/06 17:51:08 | 000,053,248 | ---- | M] (Alexandria Software Consulting) -- c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
PRC - [2005/09/06 17:50:50 | 000,045,056 | ---- | M] (Nortel Networks) -- C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
PRC - [2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/02/20 00:00:55 | 000,602,624 | ---- | M] (OldTimer Tools) -- d:\data\rainmaker\Desktop\OTL.exe
MOD - [2006/08/25 09:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wuauserv)
SRV - File not found [On_Demand | Stopped] -- -- (PsaSrv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/11/17 15:33:43 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/30 16:06:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/08/13 21:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2007/08/13 21:50:00 | 000,054,608 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2007/07/25 17:16:30 | 000,222,720 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\WINNT\System32\DWRCS.EXE -- (DWMRCS)
SRV - [2007/05/31 19:02:06 | 000,036,400 | ---- | M] (Lenovo) [Auto | Running] -- C:\WINNT\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2007/03/02 18:49:00 | 000,037,680 | ---- | M] (Lenovo.) [Auto | Running] -- C:\WINNT\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2006/11/30 19:09:32 | 001,310,720 | ---- | M] (iPass, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe -- (iPassConnectEngine)
SRV - [2006/11/29 18:47:28 | 000,126,976 | ---- | M] (iPass, Inc.) [On_Demand | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe -- (iPassPeriodicUpdateApp)
SRV - [2006/11/29 18:47:28 | 000,086,016 | ---- | M] (iPass, Inc.) [Auto | Running] -- C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe -- (iPassPeriodicUpdateService)
SRV - [2006/07/25 15:23:30 | 002,635,480 | ---- | M] (Sygate Technologies, Inc.) [Disabled | Stopped] -- c:\Program Files\Sygate\SSA\Smc.exe -- (SmcService)
SRV - [2006/07/25 15:14:52 | 000,323,658 | ---- | M] (Sygate Technologies, Inc.) [On_Demand | Stopped] -- c:\Program Files\Sygate\SSA\Maga\Maga.exe -- (magaService)
SRV - [2006/05/09 18:37:50 | 000,835,584 | ---- | M] (Nortel Networks NA, Inc.) [On_Demand | Stopped] -- C:\Program Files\Nexxia\Extranet_serv.exe -- (ExtranetAccess)
SRV - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2005/10/06 23:18:26 | 000,385,024 | ---- | M] () [Auto | Running] -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2005/09/06 17:51:08 | 000,053,248 | ---- | M] (Alexandria Software Consulting) [Auto | Running] -- c:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe -- (tunnelguardservice)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2008/11/17 15:04:01 | 000,021,419 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\iPassP.sys -- (iPassP) iPass Protocol (IEEE 802.1x)
DRV - [2007/12/19 15:27:48 | 000,013,184 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\psadd.sys -- (psadd)
DRV - [2007/09/07 21:50:00 | 000,064,168 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2007/08/13 21:50:00 | 000,171,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2007/08/13 21:50:00 | 000,072,712 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2007/08/13 21:50:00 | 000,052,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2007/08/13 21:50:00 | 000,034,184 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2007/08/13 21:50:00 | 000,032,008 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2007/08/09 16:33:14 | 000,013,360 | ---- | M] (Lenovo Group Limited) [Kernel | On_Demand | Stopped] -- C:\DRIVERS\T60\BIOS\tpflhlp.sys -- (tpflhlp)
DRV - [2007/06/21 03:43:26 | 002,208,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/06/18 01:16:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2007/05/31 19:01:30 | 000,021,424 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/03/20 09:01:08 | 000,099,328 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [2007/03/02 18:49:00 | 000,100,656 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINNT\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2007/03/02 18:47:00 | 000,019,760 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINNT\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/01/12 15:05:58 | 000,246,680 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/01/10 02:56:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2006/10/02 01:55:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINNT\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2006/10/02 01:55:00 | 000,009,343 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2006/07/25 15:24:26 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg6n.sys -- (wg6n)
DRV - [2006/07/25 15:24:24 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg5n.sys -- (wg5n)
DRV - [2006/07/25 15:24:20 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg4n.sys -- (wg4n)
DRV - [2006/07/25 15:24:16 | 000,014,952 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINNT\SYSTEM32\Drivers\wg3n.sys -- (wg3n)
DRV - [2006/07/25 14:59:48 | 000,021,075 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2006/07/25 14:57:10 | 000,061,008 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINNT\SYSTEM32\Drivers\Teefer.sys -- (Teefer)
DRV - [2006/05/09 18:47:10 | 000,024,521 | ---- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\eacfilt.sys -- (Eacfilt)
DRV - [2006/05/09 18:46:42 | 000,155,216 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ipsecw2k.sys -- (IPSECSHM)
DRV - [2006/05/09 18:46:42 | 000,155,216 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ipsecw2k.sys -- (IPSECEXT)
DRV - [2006/02/14 14:04:58 | 000,177,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/02/09 03:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2006/02/01 15:09:40 | 000,017,699 | ---- | M] (IBM Corporation) [Kernel | System | Running] -- C:\WINNT\system32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2005/12/15 14:19:20 | 000,173,056 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2005/12/06 11:21:32 | 000,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hsx_dpv.sys -- (HSF_DPV)
DRV - [2005/12/06 11:20:48 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hsxhwazl.sys -- (HSXHWAZL)
DRV - [2005/12/06 11:20:42 | 000,670,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hsx_cnxt.sys -- (winachsf)
DRV - [2005/05/17 09:20:06 | 000,015,872 | ---- | M] (Atmel, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\atmeltpm.sys -- (atmeltpm)
DRV - [2005/04/27 11:27:34 | 000,063,616 | ---- | M] (IBM) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2005/04/27 10:16:46 | 000,005,427 | ---- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINNT\system32\egathdrv.sys -- (EGATHDRV)
DRV - [2005/04/27 10:15:50 | 000,006,912 | ---- | M] (IBM Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\ANCSQ.sys -- (ANCSQ)
DRV - [2005/01/07 16:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 00:00:52 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2002/11/26 15:54:58 | 000,016,936 | ---- | M] (Smith Micro Software, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -- (SMNDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cmweb.rbccm.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cmweb.rbccm.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53273
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/20 15:01:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/01 15:57:44 | 000,000,000 | ---D | M]

[2010/10/21 07:26:44 | 000,000,000 | ---D | M] (No name found) -- d:\data\rainmaker\Application Data\Mozilla\Extensions
[2011/02/22 11:08:57 | 000,000,000 | ---D | M] (No name found) -- d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0oy9apyi.default\extensions
[2011/05/02 20:11:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/01 15:57:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/04/01 15:57:24 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/01 15:57:22 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/05/03 19:44:54 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKCU..\Run: [BitTorrent] C:\Program Files\BitTorrent\BitTorrent.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: d:\data\All Users\Start Menu\Programs\Startup\TunnelGuard Tray Monitor.lnk = C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE (Nortel Networks)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonType = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Intellimenus = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O15 - HKLM\..Trusted Domains: catokvs101 ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([]* in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([*.oak.fg] * in Local intranet)
O15 - HKLM\..Trusted Domains: rbc.com ([mis.fg] https in Trusted sites)
O15 - HKLM\..Trusted Domains: rbc.com ([pmtprojectserver.fg] http in Trusted sites)
O15 - HKLM\..Trusted Domains: rbccm.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: rbccm.com ([crm] * in Local intranet)
O15 - HKLM\..Trusted Domains: royalbank.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: rbc.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: royalbank.com ([]* in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_13)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oak.fg.rbc.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINNT\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINNT\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINNT\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\WINNT\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINNT\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/06 21:43:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/04 20:04:57 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/05/03 19:38:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2011/05/03 19:38:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2011/05/03 19:38:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2011/05/03 19:38:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2011/05/03 19:35:29 | 000,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2011/05/03 19:34:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/01 15:15:56 | 000,000,000 | --SD | C] -- d:\data\rainmaker\UserData
[2011/05/01 15:14:18 | 000,000,000 | ---D | C] -- d:\data\rainmaker\Desktop\RK_Quarantine
[2011/05/01 13:28:56 | 000,000,000 | ---D | C] -- C:\WINNT\Minidump

========== Files - Modified Within 30 Days ==========

[2011/05/04 20:05:03 | 000,000,323 | RHS- | M] () -- C:\boot.ini
[2011/05/04 19:58:14 | 000,000,392 | ---- | M] () -- C:\WINNT\smscfg.ini
[2011/05/04 19:57:14 | 000,002,193 | ---- | M] () -- d:\data\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2011/05/04 19:56:34 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2011/05/03 21:15:40 | 000,067,109 | ---- | M] () -- d:\data\rainmaker\Desktop\pool.jpg
[2011/05/03 19:48:33 | 000,410,954 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2011/05/03 19:48:33 | 000,066,506 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2011/05/03 19:44:54 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2011/05/03 19:38:00 | 004,336,154 | R--- | M] () -- d:\data\rainmaker\Desktop\ComboFix.exe
[2011/05/02 19:54:33 | 000,011,775 | ---- | M] () -- d:\data\rainmaker\Application Data\0E3A.6C1
[2011/05/02 19:54:01 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2011/05/01 16:21:33 | 000,001,324 | ---- | M] () -- C:\WINNT\System32\d3d9caps.dat
[2011/05/01 14:08:55 | 000,450,560 | ---- | M] () -- d:\data\rainmaker\Desktop\RogueKiller.exe
[2011/04/30 12:55:05 | 000,003,852 | -HS- | M] () -- d:\data\All Users\Application Data\34352o2be027ho55i2d7a7vvq87lyn
[2011/04/11 10:26:01 | 000,002,419 | ---- | M] () -- d:\data\All Users\Desktop\Citrix Program Neighborhood.lnk2
[2011/04/11 10:25:46 | 000,000,370 | ---- | M] () -- C:\WINNT\ODBC.INI
[2011/04/11 10:22:07 | 000,004,592 | -HS- | M] () -- d:\data\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq

========== Files Created - No Company Name ==========

[2011/05/04 20:05:03 | 000,000,207 | ---- | C] () -- C:\Boot.bak
[2011/05/03 21:15:39 | 000,067,109 | ---- | C] () -- d:\data\rainmaker\Desktop\pool.jpg
[2011/05/03 19:40:04 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/05/03 19:38:36 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
[2011/05/03 19:38:36 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2011/05/03 19:38:36 | 000,089,088 | ---- | C] () -- C:\WINNT\MBR.exe
[2011/05/03 19:38:36 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2011/05/03 19:38:36 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2011/05/03 19:26:37 | 004,336,154 | R--- | C] () -- d:\data\rainmaker\Desktop\ComboFix.exe
[2011/05/01 14:08:47 | 000,450,560 | ---- | C] () -- d:\data\rainmaker\Desktop\RogueKiller.exe
[2011/04/30 12:57:43 | 000,011,775 | ---- | C] () -- d:\data\rainmaker\Application Data\0E3A.6C1
[2011/04/30 12:54:23 | 000,003,852 | -HS- | C] () -- d:\data\All Users\Application Data\34352o2be027ho55i2d7a7vvq87lyn
[2011/04/11 10:18:40 | 000,004,592 | -HS- | C] () -- d:\data\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
[2011/03/27 14:28:06 | 000,011,016 | -HS- | C] () -- d:\data\All Users\Application Data\72xy4j5pr746copb247k3woh
[2010/10/21 09:24:26 | 000,002,847 | ---- | C] () -- C:\WINNT\System32\DWRCS.INI
[2010/10/21 08:04:22 | 000,011,264 | ---- | C] () -- d:\data\rainmaker\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/18 16:00:01 | 000,000,118 | ---- | C] () -- d:\data\rainmaker\Local Settings\Application Data\fusioncache.dat
[2008/11/17 15:29:37 | 000,000,786 | ---- | C] () -- C:\WINNT\EPFax.INI
[2008/11/17 15:29:37 | 000,000,049 | ---- | C] () -- C:\WINNT\mailroom.ini
[2008/11/17 15:29:35 | 000,000,186 | ---- | C] () -- C:\WINNT\pagesuit.ini
[2008/11/17 15:29:34 | 000,023,040 | ---- | C] () -- C:\WINNT\System32\irisco32.dll
[2008/11/17 15:29:28 | 000,086,016 | ---- | C] () -- C:\WINNT\System32\Mrsplnt.dll
[2008/11/17 15:29:25 | 000,086,016 | ---- | C] () -- C:\WINNT\System32\Mrinst.dll
[2008/11/17 15:29:25 | 000,009,142 | ---- | C] () -- C:\WINNT\MR2000.ini
[2008/11/17 15:29:22 | 000,252,768 | ---- | C] () -- C:\WINNT\System32\capicom.dll
[2008/11/17 13:46:05 | 000,007,168 | ---- | C] () -- C:\WINNT\System32\drivers\TSMAPIP.SYS
[2008/11/17 13:44:42 | 000,009,343 | ---- | C] () -- C:\WINNT\System32\drivers\TDSMAPI.SYS
[2008/11/17 13:42:51 | 000,077,824 | ---- | C] () -- C:\WINNT\System32\SynTPCoI.dll
[2008/11/17 13:42:20 | 000,004,442 | ---- | C] () -- C:\WINNT\System32\drivers\TPPWRIF.SYS
[2008/11/17 13:35:21 | 000,028,672 | ---- | C] () -- C:\WINNT\System32\notifyf2.dll
[2008/11/17 13:35:21 | 000,024,576 | ---- | C] () -- C:\WINNT\System32\tphklock.dll
[2007/12/19 16:22:04 | 000,000,392 | ---- | C] () -- C:\WINNT\smscfg.ini
[2007/12/19 15:43:37 | 000,000,280 | ---- | C] () -- C:\WINNT\System32\epoPGPsdk.dll.sig
[2007/12/19 15:33:22 | 000,000,370 | ---- | C] () -- C:\WINNT\ODBC.INI
[2007/11/06 21:30:40 | 000,009,728 | ---- | C] () -- C:\WINNT\L6DLOG.DLL
[2007/11/06 21:30:40 | 000,008,192 | ---- | C] () -- C:\WINNT\L6DWAPI.DLL
[2007/11/06 21:30:40 | 000,007,680 | ---- | C] () -- C:\WINNT\L6DNCB.DLL
[2007/11/06 21:29:10 | 000,027,440 | ---- | C] () -- C:\WINNT\System32\drivers\secdrv.sys
[2007/11/06 21:27:55 | 000,081,920 | ---- | C] () -- C:\WINNT\System32\ieencode.dll
[2007/11/06 16:36:26 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2006/07/25 15:22:12 | 000,235,152 | ---- | C] () -- C:\WINNT\System32\SetAid.dll
[2005/04/27 10:53:10 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\pwdmon.dll
[2005/04/27 10:53:10 | 000,019,853 | ---- | C] () -- C:\WINNT\ibmprc.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINNT\System32\OUTLPERF.INI

< End of report >
  • 0

#12
Essexboy
Posted 05 May 2011 - 10:48 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Please delete your current copy of aswMBR as we will run an updated one


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
d:\data\rainmaker\Application Data\0E3A.6C1
d:\data\All Users\Application Data\34352o2be027ho55i2d7a7vvq87lyn
d:\data\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
d:\data\All Users\Application Data\72xy4j5pr746copb247k3woh

Driver::
Splarphvaacw


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new OTListit log.

THEN

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#13
jolces
Posted 07 May 2011 - 11:26 AM

jolces

    Member

  • Topic Starter
  • Member
  • PipPip
  • 53 posts
OK here are the updated logs:

ComboFix 11-05-06.05 - rainmaker 2011/05/07 13:12:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1102 [GMT -4:00]
Running from: d:\data\rainmaker\Desktop\ComboFix.exe
Command switches used :: d:\data\rainmaker\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Sygate Security Agent *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Splarphvaacw
.
.
((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))
.
.
2011-05-05 01:48 . 2011-05-05 01:48 -------- d-----w- d:\data\rainmaker\Application Data\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1
2011-05-05 01:48 . 2011-05-05 01:48 -------- d-----w- c:\program files\Zinio Reader 4
2011-05-05 01:48 . 2011-05-05 01:48 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-05-04 00:52 . 2011-05-04 00:52 -------- d-----w- d:\data\default
2011-05-01 19:15 . 2011-05-01 19:15 -------- d-s---w- d:\data\rainmaker\UserData
2011-04-11 14:25 . 2011-04-11 14:25 -------- d-----w- d:\data\John
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 19:57 . 2011-04-01 19:57 73728 ----a-w- c:\winnt\system32\javacpl.cpl
2011-04-01 19:57 . 2011-04-01 19:57 472808 ----a-w- c:\winnt\system32\deployJava1.dll
2011-02-22 15:27 . 2007-11-07 01:29 8832 ----a-w- c:\winnt\system32\drivers\rasacd.sys
2011-02-20 18:56 . 2011-02-20 18:56 175 ----a-w- d:\data\tp\PKI_INST.BAT
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-03_23.45.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-07 17:16 . 2011-05-07 17:16 16384 c:\winnt\Temp\Perflib_Perfdata_674.dat
+ 2007-11-07 01:28 . 2011-05-03 23:48 66506 c:\winnt\system32\perfc009.dat
- 2007-11-07 01:28 . 2011-03-29 21:07 66506 c:\winnt\system32\perfc009.dat
+ 2011-05-05 01:48 . 2011-05-05 01:48 54784 c:\winnt\Installer\6674fc.msi
+ 2011-05-05 01:48 . 2011-05-05 01:48 28160 c:\winnt\Installer\6674f6.msi
+ 2007-11-07 01:28 . 2011-05-03 23:48 410954 c:\winnt\system32\perfh009.dat
- 2007-11-07 01:28 . 2011-03-29 21:07 410954 c:\winnt\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2011-05-01 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
d:\data\jolcese\Start Menu\Programs\Startup\
AOM.lnk - c:\program files\Common Files\Adobe\Web\AOM.exe [N/A]
.
d:\data\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\winnt\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-11-17 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-17 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
TunnelGuard Tray Monitor.lnk - c:\program files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE [2005-9-6 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-02-01 19:09 28672 ------w- c:\winnt\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-01 19:09 24576 ------w- c:\winnt\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1364589140-839522115-2401\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
.
R0 ANCSQ;ANCSQ;c:\winnt\system32\drivers\ANCSQ.sys [2005/04/27 10:15 AM 6912]
R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [2007/03/02 6:47 PM 19760]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2008/11/17 3:06 PM 24521]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nexxia\Extranet_serv.exe [2008/11/17 3:06 PM 835584]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2008/11/17 3:06 PM 155216]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\Maga\Maga.exe [2006/07/25 3:14 PM 323658]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010/01/15 8:49 AM 227232]
S3 tpflhlp;tpflhlp;c:\drivers\T60\BIOS\tpflhlp.sys [2007/08/09 4:33 PM 13360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{00120000-6000-11D3-8CFE-0050048383C9}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{94F321B9-45B0-4125-970D-DE3D98CBCA1C}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC76BA86-0000-0000-7760-7E8A45000000}]
2005-05-03 17:58 78848 ------w- c:\winnt\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-22 c:\winnt\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-11-17 05:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cmweb.rbccm.com/
mStart Page = hxxp://cmweb.rbccm.com/
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: rbc.com\mis.fg
Trusted Zone: rbc.com\pmtprojectserver.fg
Trusted Zone: rbccm.com
FF - ProfilePath - d:\data\rainmaker\Application Data\Mozilla\Firefox\Profiles\0oy9apyi.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53273
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-07 13:17
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1704)
c:\winnt\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(716)
c:\winnt\system32\msi.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ibmpmsvc.exe
c:\winnt\SYSTEM32\DWRCS.EXE
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\winnt\System32\TPHDEXLG.exe
c:\program files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\winnt\system32\CCM\CcmExec.exe
c:\winnt\SYSTEM32\DWRCST.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-05-07 13:19:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-07 17:19
ComboFix2.txt 2011-05-05 00:10
ComboFix3.txt 2011-05-03 23:47
.
Pre-Run: 35,758,559,232 bytes free
Post-Run: 35,680,595,968 bytes free
.
- - End Of File - - 5BDE2DFAC85F592AF29ABB91139EDCAC


aswMBR

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-07 13:25:46
-----------------------------
13:25:46.921 OS Version: Windows 5.1.2600 Service Pack 2
13:25:46.921 Number of processors: 2 586 0xE0C
13:25:46.921 ComputerName: BR3F8433 UserName:
13:25:47.437 Initialize success
13:25:50.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:25:50.250 Disk 0 Vendor: HTS72101 MCZI Size: 95396MB BusType: 3
13:25:50.281 Disk 0 MBR read successfully
13:25:50.281 Disk 0 MBR scan
13:25:50.281 Disk 0 unknown MBR code
13:25:50.281 Disk 0 scanning sectors +195365520
13:25:50.312 Disk 0 scanning C:\WINNT\system32\drivers
13:25:53.031 Service scanning
13:25:53.984 Disk 0 trace - called modules:
13:25:54.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
13:25:54.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89a52ab8]
13:25:54.015 3 CLASSPNP.SYS[ba8e905b] -> nt!IofCallDriver -> \Device\0000009d[0x89a139e0]
13:25:54.015 5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x89a53030]
13:25:54.015 Scan finished successfully
13:26:11.109 Disk 0 MBR has been saved successfully to "d:\data\rainmaker\Desktop\MBR.dat"
13:26:11.125 The log file has been saved successfully to "d:\data\rainmaker\Desktop\aswMBR.txt"
  • 0

#14
Essexboy
Posted 07 May 2011 - 11:36 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Are you still being redirected ?
Are the redirects in IE, Firefox or both ?

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#15
Essexboy
Posted 11 May 2011 - 01:04 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP