Computers freeze at intervals

Computers on my network frequently freeze at intervals and i have scanned them with McAfee anti-virus and cleaned them. I suspect a bug but cannot exactly find a way to resolving this problem
oandosupportAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
If complete hardware is stuck (including mouse), most probably the CPU is overheated, and suspended action as emergency stop.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oandosupportAuthor Commented:
In most cases, the mouse cursor moves but every other window does not respond.
0
JonveeCommented:
The fact that more than one computer is freezing on your network does suggest a common infection (a bug).

May i suggest you download then update Malwarebytes' Anti-Malware:
http://www.malwarebytes.org/mbam.php
When updated, reboot into Safe Mode by selecting F8 at bootup & run a scan.

Tutorial available, if you require >
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t169669.html

Also try the Kaspersky free online virus scanner which is a good way to find out if you have any viruses or spyware without having to uninstall your existing antivirus software>
http://www.kaspersky.co.uk/virusscanner
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

JonveeCommented:
If those two scanners between them do not resolve it, i suggest you install and run Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page and then it can be analysed.  We are looking for rootkits or other nasties.

If we see nothing and the problem remains, let's run the more powerful ComboFix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Ideally ComboFix should be run in normal mode, although it will work in safe mode if you're unable to reach normal mode.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I agree about global infection.
If it would be one PC only, I would suspect heavy harddisk activity - when coupled with virtual memory action (page file), the computer will stop or stutter in responding.
0
JonveeCommented:
oandosupport,
Hopefully we can resolve your problem with our ideas listed above.  
However, if it proves to be a bad infection, and one that 'regenerates' within your network, you could also take a look at this previous thread and the suggestions of warturtle on 14/05/09 03:23 PM BST  (the Accepted Solution).  It's just another option we could turn to if we have to >>

"Computers with virus spreading through network":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24401465.html
0
oandosupportAuthor Commented:
Thanks Jonvee, I've been down with a fever but will run the suggested fix and get back to you later in the day.
0
JonveeCommented:
Sorry to hear that ... please take your time.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
"Fever", "infection" - can a computer virus infect users, or vice versa?
0
oandosupportAuthor Commented:
Hi Jonvee, find attached the hijackthis log from one of the computers having the symptom. Still running the combo fix, but just wanted to reply to keep the thread "alive"....

Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:52 AM, on 6/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hq-web/oandointranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hq-web/oandointranet/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oando Plc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = webserver*;appserver*;hq*;moon*;oando*;mail02*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5DFA6027.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://hq-web/oandointranet/
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - 
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://moon2.oando-plc.com:7781/jpi/j2re.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oando-plc.com
O17 - HKLM\Software\..\Telephony: DomainName = oando-plc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oando-plc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = oando-plc.com
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\system32\DWRCS.EXE (file missing)
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
 
--
End of file - 8694 bytes

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Suspicisous entries:
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5DFA6027.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\system32\DWRCS.EXE (file missing)

The startup link is very strange.

DameWare is sometimes used to implement a backdoor access. It is a remote control program like pcAnywhere, Remote, Proxy, ..., which allows for taking control over the whole  computer and for viewing the user actions.
0
JonveeCommented:
This HijackThis entry certainly looks like a threat and should be Fixed(as Qlemo intimates), although you may find that it regenerates.  If this is the case Combofix should resolve the problem.  Otherwise your logfile appears relatively clean>
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-5DFA6027.EXE
0
oandosupportAuthor Commented:
For some reason, I cannot get combofix to run on any of the machines. I'll attempt to download another copy and try running on the infected systems and then run HijackThis and send the log again.

Thanks a lot for the support.
0
JonveeCommented:
Possibly it's due to an infection, but this site mentioned earlier should be fine>
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Did you try renaming it before saving it to your desktop?
Or if you have difficulties downloading it, you could try downloading to a "clean" computer which is separated from your network, then save on a USB memory stick (or equivalent).  Rename ComboFix, and then connect to one of the networked computers.

A HijackThis log on it's own is not as useful as getting ComboFix to run.
0
oandosupportAuthor Commented:
Got a fresh copy of ComboFix to run after renaming it. Find attached the log report from the combofix. Thanks for all the support.
ComboFix 09-06-10.02 - OOlabisi 06/11/2009 11:58:09.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.990.510 [GMT 1:00]
Running from: C:\Documents and Settings\oolabisi\Desktop\HiJack Log\FixIt.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
 * Resident AV is active
 
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\DOCUME~1\oolabisi\LOCALS~1\Temp\E_4
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\DOCUME~1\oolabisi\LOCALS~1\Temp\E_4\com.run
C:\DOCUME~1\oolabisi\LOCALS~1\Temp\E_4\internet.fne
C:\DOCUME~1\oolabisi\LOCALS~1\Temp\E_4\krnln.fnr
C:\DOCUME~1\oolabisi\LOCALS~1\Temp\E_4\RegEx.fnr
C:\DOCUME~1\oolabisi\LOCALS~1\Temp\E_4\spec.fne
C:\Documents and Settings\oolabisi\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\com.run
C:\WINDOWS\system32\internet.fne
C:\WINDOWS\system32\krnln.fnr
C:\WINDOWS\system32\og.dll
C:\WINDOWS\system32\og.edt
C:\WINDOWS\system32\RegEx.fnr
C:\WINDOWS\system32\spec.fne
C:\WINDOWS\system32\ul.dll
 
----- BITS: Possible infected sites -----
 
hxxp://spade.oando-plc.com:80
.
(((((((((((((((((((((((((   Files Created from 2009-05-11 to 2009-06-11  )))))))))))))))))))))))))))))))
.
 
2009-06-11 10:49:14 . 2009-06-11 10:49:16	0	d---a-w-	C:\deliverables
2009-06-11 10:43:53 . 2009-06-11 10:43:53	39745	----a-w-	C:\WINDOWS\system32\api_hook_list.dat
2009-06-11 10:43:50 . 2007-10-17 10:24:40	70976	----a-w-	C:\WINDOWS\system32\HIPIS0e00150.dll
2009-06-09 09:11:11 . 2009-06-09 09:11:11	0	d-----w-	C:\Program Files\Trend Micro
2009-05-13 07:33:10 . 2009-05-13 07:33:10	0	d-----w-	C:\Documents and Settings\oolabisi\Local Settings\Application Data\Yahoo
2009-05-13 07:29:16 . 2009-03-18 16:55:46	607472	----a-w-	C:\Documents and Settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 09:35:36 . 2008-09-25 10:53:21	0	d-----w-	C:\Documents and Settings\oolabisi\Application Data\SiteAdvisor
2009-06-05 04:24:14 . 2009-02-12 16:36:58	247104	----a-w-	C:\WINDOWS\system32\KevlarSigs.dll
2009-05-28 11:55:15 . 2008-10-03 14:39:05	0	d-----w-	C:\Documents and Settings\oolabisi\Application Data\AdobeUM
2009-05-13 07:29:16 . 2008-01-03 10:48:46	0	d-----w-	C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-05-11 08:02:16 . 2008-06-12 14:09:17	6611589	----a-w-	C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
2009-05-02 11:36:13 . 2009-05-02 11:36:13	136	----a-w-	C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-05-02 11:36:13 . 2008-02-19 08:12:26	71064	----a-w-	C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 11:35:31 . 2009-05-02 11:35:31	0	d-----w-	C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-03-12 09:01:33 . 2008-01-03 10:46:47	66672	-c--a-w-	C:\Program Files\mozilla firefox\components\jar50.dll
2007-03-12 09:01:34 . 2008-01-03 10:46:47	54376	-c--a-w-	C:\Program Files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:01:36 . 2008-01-03 10:46:47	34952	-c--a-w-	C:\Program Files\mozilla firefox\components\myspell.dll
2007-03-12 09:01:38 . 2008-01-03 10:46:47	46720	-c--a-w-	C:\Program Files\mozilla firefox\components\spellchk.dll
2007-03-12 09:01:40 . 2008-01-03 10:46:47	172144	-c--a-w-	C:\Program Files\mozilla firefox\components\xpinstal.dll
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00:00 15360]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 09:33:58 5803368]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 17:50:30 4363504]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 09:07:44 843776]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-27 19:50:00 111952]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 20:07:32 36640]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12:54 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 19:26:04 32881]
"McAfee Host Intrusion Prevention Tray"="C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" [2007-10-17 11:17:22 963904]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2009-03-10 15:00:00 136512]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 09:33:58 5803368]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45:42 36040]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
DLO Agent.lnk - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe [2004-11-8 3318880]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5275:TCP"= 5275:TCP:knqkwu
 
R0 atiide;atiide;C:\WINDOWS\system32\drivers\atiide.sys [1/2/2008 11:40:37 AM 3456]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\drivers\dwvkbd.sys [2/15/2007 6:00:00 PM 26624]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [10/17/2007 12:17:20 PM 1447232]
R3 DwMirror;DwMirror;C:\WINDOWS\system32\drivers\DamewareMini.sys [2/7/2007 6:00:00 PM 2944]
R3 FirehkMP;FirehkMP;C:\WINDOWS\system32\drivers\firehk.sys [9/20/2007 5:39:06 PM 24968]
R3 HIPK;McAfee Inc. HIPK;C:\WINDOWS\system32\drivers\HIPK.sys [2/12/2009 5:36:38 PM 100104]
R3 HIPPSK;McAfee Inc. HIPPSK;C:\WINDOWS\system32\drivers\HIPPSK.sys [2/12/2009 5:36:38 PM 30856]
R3 HIPQK;McAfee Inc. HIPQK;C:\WINDOWS\system32\drivers\HIPQK.sys [2/12/2009 5:36:38 PM 27976]
R3 hips;McAfee HIPSCore Service;C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [2/12/2009 5:36:37 PM 46400]
S2 ccmsetup;ccmsetup;C:\WINDOWS\system32\ccmsetup\ccmsetup.exe [3/11/2008 7:47:05 AM 672800]
S2 VRTSChangeJournalReader;VERITAS Backup Exec DLO Agent Change Journal Reader;C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe [11/8/2004 4:46:08 PM 271456]
S2 wamier;Center Installer;C:\WINDOWS\system32\svchost.exe -k netsvcs [8/4/2004 1:00:00 PM 14336]
S3 atodw;atodw;\??\C:\WINDOWS\system32\01E0.tmp --> C:\WINDOWS\system32\01E0.tmp [?]
S3 edermdw;edermdw;\??\C:\WINDOWS\system32\0201.tmp --> C:\WINDOWS\system32\0201.tmp [?]
S3 Firehk;McAfee NDIS Intermediate Filter;C:\WINDOWS\system32\drivers\firehk.sys [9/20/2007 5:39:06 PM 24968]
S3 gnjqxo;gnjqxo;\??\C:\WINDOWS\system32\02A1.tmp --> C:\WINDOWS\system32\02A1.tmp [?]
S3 iyouu;iyouu;\??\C:\WINDOWS\system32\01A3.tmp --> C:\WINDOWS\system32\01A3.tmp [?]
S3 jbbliwrh;jbbliwrh;\??\C:\WINDOWS\system32\01AE.tmp --> C:\WINDOWS\system32\01AE.tmp [?]
S3 jvvendf;jvvendf;\??\C:\WINDOWS\system32\01D1.tmp --> C:\WINDOWS\system32\01D1.tmp [?]
S3 ranqzp;ranqzp;\??\C:\WINDOWS\system32\02F1.tmp --> C:\WINDOWS\system32\02F1.tmp [?]
S3 sdxrzrf;sdxrzrf;\??\C:\WINDOWS\system32\0130.tmp --> C:\WINDOWS\system32\0130.tmp [?]
S3 skuqcuu;skuqcuu;\??\C:\WINDOWS\system32\02C8.tmp --> C:\WINDOWS\system32\02C8.tmp [?]
S3 tkiyzcebg;tkiyzcebg;\??\C:\WINDOWS\system32\01AF.tmp --> C:\WINDOWS\system32\01AF.tmp [?]
S3 wihrwqe;wihrwqe;\??\C:\WINDOWS\system32\0F6.tmp --> C:\WINDOWS\system32\0F6.tmp [?]
S3 wroippdux;wroippdux;\??\C:\WINDOWS\system32\029D.tmp --> C:\WINDOWS\system32\029D.tmp [?]
S3 wvivts;wvivts;\??\C:\WINDOWS\system32\01B9.tmp --> C:\WINDOWS\system32\01B9.tmp [?]
S4 WinDefend;Windows Defender;C:\Program Files\Windows Defender\MsMpEng.exe [10/5/2006 10:11:34 PM 13592]
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
rgjfarsn
wtpdwfkcw
dilfau
hmrnev
niyhhleb
bpfosijhc
nkavff
shnxo
buddcwm
kfhhl
zjqslyzzu
mbzkk
wamier
.
Contents of the 'Scheduled Tasks' folder
 
2009-06-10 C:\WINDOWS\Tasks\DLOClientu.exe - UNIDOMAIN_augbah.job
- C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe [2004-11-08 15:48:28 . 2004-11-08 15:48:28]
 
2009-06-10 C:\WINDOWS\Tasks\DLOClientu.exe - UNIDOMAIN_mokosun.job
- C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe [2004-11-08 15:48:28 . 2004-11-08 15:48:28]
 
2009-06-10 C:\WINDOWS\Tasks\DLOClientu.exe - UNIDOMAIN_NCOBIORA.job
- C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe [2004-11-08 15:48:28 . 2004-11-08 15:48:28]
 
2009-06-10 C:\WINDOWS\Tasks\DLOClientu.exe - UNIDOMAIN_okuforiji.job
- C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe [2004-11-08 15:48:28 . 2004-11-08 15:48:28]
 
2009-06-08 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-10-05 21:11:46 . 2006-10-05 21:11:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hq-web/oandointranet/
uInternet Settings,ProxyServer = 10.10.10.104:8080
uInternet Settings,ProxyOverride = webserver*;appserver*;hq*;moon*;oando*;mail02*;<local>
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - 
.
 
**************************************************************************
 
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 12:07:52
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccmsetup]
"ImagePath"="\"C:\WINDOWS\system32\ccmsetup\ccmsetup.exe\" /runservice /config:MobileClient.tcf"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atodw]
"ImagePath"="\??\C:\WINDOWS\system32\01E0.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\edermdw]
"ImagePath"="\??\C:\WINDOWS\system32\0201.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gnjqxo]
"ImagePath"="\??\C:\WINDOWS\system32\02A1.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iyouu]
"ImagePath"="\??\C:\WINDOWS\system32\01A3.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jbbliwrh]
"ImagePath"="\??\C:\WINDOWS\system32\01AE.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jvvendf]
"ImagePath"="\??\C:\WINDOWS\system32\01D1.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ranqzp]
"ImagePath"="\??\C:\WINDOWS\system32\02F1.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdxrzrf]
"ImagePath"="\??\C:\WINDOWS\system32\0130.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\skuqcuu]
"ImagePath"="\??\C:\WINDOWS\system32\02C8.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tkiyzcebg]
"ImagePath"="\??\C:\WINDOWS\system32\01AF.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wihrwqe]
"ImagePath"="\??\C:\WINDOWS\system32\0F6.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wroippdux]
"ImagePath"="\??\C:\WINDOWS\system32\029D.tmp"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wvivts]
"ImagePath"="\??\C:\WINDOWS\system32\01B9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(916)
C:\WINDOWS\system32\HcApi.dll
C:\WINDOWS\system32\KevlarSigs.dll
 
- - - - - - - > 'lsass.exe'(972)
C:\WINDOWS\system32\HcApi.dll
C:\WINDOWS\system32\KevlarSigs.dll
 
- - - - - - - > 'csrss.exe'(888)
C:\WINDOWS\system32\HcApi.dll
C:\WINDOWS\system32\KevlarSigs.dll
.
Completion time: 2009-06-11 12:10:20
ComboFix-quarantined-files.txt  2009-06-11 11:10:16
 
Pre-Run: 53,663,547,392 bytes free
Post-Run: 54,818,484,224 bytes free
 
208

Open in new window

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
A lot of strange "services" entries with binaries *.tmp in system32 - those are coming from the infection.

Port 5275 for process knqkwu was opened in firewall - that should not be there.

ComboFix should already have isolated those entries and the related binaries. Have a look into ComboFix-quarantined-files.txt for confirmation.

0
JonveeCommented:
By running ComboFix you can see that a number of "Other Deletions" (presumably infections) have already been dealt with.  

Presume you ran Combo on just one computer in the network?
If yes, is that particular computer more stable, and showing no signs of freezing?

It's going to take a while to study the Combo log in more detail, but i'll get back to you later ...
0
JonveeCommented:
A quick check but unable to recognise lines 138 to 150, which may well be further infections >
rgjfarsn wtpdwfkcw dilfau hmrnev niyhhleb bpfosijhc nkavff shnxo buddcwm kfhhl zjqslyzzu mbzkk wamier.

Were you able to scan with Malwarebytes and Kaspersky as suggested earlier ?
They're highly recommended (details above).
http://www.malwarebytes.org/mbam.php
http://www.kaspersky.co.uk/virusscanner

also ...
http://housecall.trendmicro.com/uk/
Ideal for scanning online, using "Safe Mode with networking".
     
There is no one scanner capable of removing all infections, usually we need to try a few, so please see if these can produce a final cleanup.
0
oandosupportAuthor Commented:
Thanks everyone for the support, @Jonvee, I'll run the other scanners and revert on the stability of the system. Thanks a lot.
0
oandosupportAuthor Commented:
Hi All,  

Find attached the HiJackthis log from another machine,could kindly analyze to see if there are any common invalid entries with the other log that was sent?

The attached file is a report from running combofix on the same computer with the attached snippet.

Thanks,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:45 AM, on 6/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS1\system32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\WINDOWS1\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Novatel Wireless\MobiLink\iilserver.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS1\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS1\system32\CCM\CcmExec.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\EXPLORER.EXE
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
C:\WINDOWS1\system32\DWRCST.exe
C:\WINDOWS1\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS1\system32\wuauclt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS1\system32\hkcmd.exe
C:\WINDOWS1\system32\igfxsrvc.exe
C:\WINDOWS1\system32\igfxpers.exe
C:\WINDOWS1\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS1\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hq-web/oandointranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oando Plc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = webserver*;appserver*;hq*;moon*;oando*;mail02*;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS1\system32\userinit.exe,EXPLORER.EXE
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [GenProtect] C:\WINDOWS1\gplxqt.exe
O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS1\oaexzi.exe
O4 - HKLM\..\Run: [WinSysM] C:\WINDOWS1\136741M.exe
O4 - HKLM\..\Run: [WinSysW] C:\WINDOWS1\136741L.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS1\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS1\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS1\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [WSockDrv32] C:\WINDOWS1\foezfg.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS1\system32\ckvo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://hq-web/oandointranet/
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://hqprdp1.oando-plc.com:8000/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oando-plc.com
O17 - HKLM\Software\..\Telephony: DomainName = oando-plc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = oando-plc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = oando-plc.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = oando-plc.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: 281D094E - Unknown owner - C:\WINDOWS1\system32\8DC80FE3.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS1\system32\DWRCS.EXE
O23 - Service: E10BA0F3 - Unknown owner - C:\WINDOWS1\system32\7F41EA60.EXE (file missing)
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9e1dc726b724e) (gupdate1c9e1dc726b724e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: K Print Spooler (kspooldaemon) - Unknown owner - C:\WINDOWS1\system32\kspoold.exe (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MobiLink IILServer - Novatel Wireless, Inc. - C:\Program Files\Novatel Wireless\MobiLink\iilserver.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: VERITAS Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
 
--
End of file - 15710 bytes

Open in new window

ComboFix.txt
0
JonveeCommented:
This other machine you mention also seems to be infected.   i've done a quick analysis of your HijackThis log, & here are some comments.    The Combo log will take me much longer to checkout.

These 6 entries can be 'fixed' with HijackThis but will probably regenerate.  ComboFix can likely deal with them >
O23 - Service: 281D094E - Unknown owner - C:\WINDOWS1\system32\8DC80FE3.EXE (file missing)
O23 - Service: E10BA0F3 - Unknown owner - C:\WINDOWS1\system32\7F41EA60.EXE (file missing)
O23 - Service: K Print Spooler (kspooldaemon) - Unknown owner - C:\WINDOWS1\system32\kspoold.exe (file missing)

O4 - HKLM\..\Run: [GenProtect] C:\WINDOWS1\gplxqt.exe
O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS1\oaexzi.exe
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe

These 4 are suspicious and still being checked >
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

0
JonveeCommented:
Combo log didn't take long to check, it's only 3KB so most of it is missing!
Can you try reloading it for me please?

There were certainly several "Other Deletions" (infections) evident!
0
JonveeCommented:
oandosupport,
The more i analyse your logs it seems that the problem is so reminiscent of an earlier issue, where a network was heavily infected!
Take a look at this rather long thread and to the "Accepted Solution" by warturtle.  His winning three suggestions may well help you completely clear up the problem.  
In your case also the Malware will keep reappearing, until we can 'close the door on them'.
Meanwhile analying your Combo log is continuing >

"Computers with virus spreading through network":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24401465.html
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
It's most important to keep all computers separated from network until you are done with desinfection. If a computer is (almost) clean, update it immediately with all MS patches available (after connected to network again, of course).

0
oandosupportAuthor Commented:
Systems returns to stable state once scanned and patched. This will be done until all systems are malware free
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.