Internet Explorer keeps redirecting

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Internet Explorer keeps redirecting Need help removing it

#1 jagrim

Member

Group: Members
Posts: 50
Joined: 28-July 07

Posted 27 December 2011 - 09:11 PM

I am attempting to help my neighbor clean her computer from some type of Trojan. It is a Win 7 64 bit op system. She had some earlier issues with this computer that required her to send it back to HP for warranty work. Of course, when it returned they had turned her virus protection off and she became infected.

Before she brought it to me, I had her run MBam. The log is below. I have runn dds and am posting and attaching the logs.

Assistance is greatly appreciated
Alan

MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8352

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/11/2011 11:31:53 AM
mbam-log-2011-12-11 (11-31-53).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 353253
Time elapsed: 24 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vMttfGqwJXmmgo.exe (Rogue.Agent.SA) -> Value: vMttfGqwJXmmgo.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files (x86)\totalrecipesearch_14ei\Installr\1.bin\14EIPlug.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\program files (x86)\totalrecipesearch_14ei\Installr\1.bin\NP14EISb.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\Users\administrator\AppData\Local\Temp\zmzb6ho2bau6gb.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\administrator\AppData\LocalLow\Sun\Java\deployment\cache\6.0\48\38f8ca30-5f696966 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Maggie at 19:47:19 on 2011-12-27
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2169 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\vssvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111224132329.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{93204C40-0E12-4B98-B227-9B3CF5EBC393} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111224132329.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun-x64: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;C:\Windows\system32\drivers\McPvDrv.sys --> C:\Windows\system32\drivers\McPvDrv.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 MOBKFilter;MOBKFilter;C:\Windows\system32\DRIVERS\MOBK.sys --> C:\Windows\system32\DRIVERS\MOBK.sys [?]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-12-12 199272]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-12-12 208536]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 MOBKbackup;McAfee Online Backup;C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [2010-4-13 231224]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 136176]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-14 366152]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 136176]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-9-16 23536]
.
=============== Created Last 30 ================
.
2011-12-28 01:37:09 -------- d-----w- C:\Users\Maggie\AppData\Local\Google
2011-12-23 00:33:51 -------- d-----w- C:\Program Files\NVIDIA Corporation
2011-12-23 00:29:43 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys
2011-12-23 00:19:47 -------- d-----w- C:\Windows\System32\SPReview
2011-12-23 00:18:47 -------- d-----w- C:\Windows\System32\EventProviders
2011-12-21 15:51:50 -------- d-----w- C:\Users\Maggie\jagexcache1
2011-12-21 04:51:40 -------- d-----w- C:\Users\Maggie\AppData\Local\CrashDumps
2011-12-20 02:48:15 -------- d-----w- C:\Users\Maggie\AppData\Local\McAfee Anti-Theft
2011-12-16 19:07:57 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-16 19:07:35 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-16 19:07:35 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-16 19:05:00 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-16 19:04:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-16 19:04:56 3141632 ----a-w- C:\Windows\System32\win32k.sys
2011-12-12 23:38:41 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-12-12 23:00:05 -------- d-----w- C:\Program Files (x86)\McAfeeMOBK
2011-12-12 22:59:56 66040 ----a-w- C:\Windows\System32\drivers\MOBK.sys
2011-12-12 22:59:55 -------- d-----w- C:\Program Files (x86)\McAfee Online Backup
2011-12-12 22:59:43 71800 ----a-w- C:\Windows\System32\drivers\McPvDrv.sys
2011-12-12 22:54:59 -------- d-----w- C:\Program Files (x86)\McAfee.com
2011-12-12 22:54:30 10248 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2011-12-12 22:54:29 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee
2011-12-12 22:53:53 284648 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2011-12-12 22:53:52 75808 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2011-12-12 22:53:52 65264 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2011-12-12 22:53:52 481768 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2011-12-12 22:53:52 229528 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2011-12-12 22:53:52 100912 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2011-12-12 22:53:21 -------- d-----w- C:\Program Files\Common Files\McAfee
2011-12-12 22:53:20 -------- d-----w- C:\Program Files\McAfee.com
2011-12-12 22:53:20 -------- d-----w- C:\Program Files\McAfee
2011-12-12 22:53:16 -------- d-----w- C:\Program Files (x86)\McAfee
2011-12-12 22:43:50 161168 ----a-w- C:\Windows\System32\mfevtps.exe
2011-12-11 18:33:12 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2011-12-11 17:01:42 -------- d-----w- C:\Users\Maggie\AppData\Roaming\Malwarebytes
2011-12-11 17:01:31 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-11 17:01:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-11 17:00:20 -------- d-----w- C:\Downloaded Software
2011-12-11 16:57:46 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4881FA84-9089-488B-BBE2-59803C591D65}\mpengine.dll
.
==================== Find3M ====================
.
2011-12-23 00:51:59 152064 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-12-23 00:51:58 175104 ----a-w- C:\Windows\System32\msclmd.dll
2011-12-12 22:41:06 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-15 20:29:56 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-11-10 11:54:13 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-11-05 05:26:29 1197568 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:23:10 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-11-05 04:35:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:34:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-11-05 04:07:32 482816 ----a-w- C:\Windows\System32\html.iec
2011-11-05 03:28:41 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-11-05 03:25:44 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:55:38 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-15 19:16:16 647080 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2011-10-15 19:16:16 160280 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 19:56:58.14 ===============

Attached File(s)

Attach.txt (6.57K)
Number of downloads: 0

#2 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 27 December 2011 - 09:23 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

If you have since resolved the original problem you were having, we would appreciate you letting us know.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
- If you are unsure about any of these characteristics just post what you can and we will guide you.
Please tell us if you have your original Windows CD/DVD available.
If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Please download aswMBR ( 511KB ) to your desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#3 jagrim

Member

Group: Members
Posts: 50
Joined: 28-July 07

Posted 27 December 2011 - 10:06 PM

Description is same as Post #1

Ran DDS - log below
Ran defogger - It did not ask me to reboot
Attempted to run aswMBR without success: Itacted like it wanted to run (spinning circle) then just stopped. It never got to a Scan button

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Maggie at 20:47:06 on 2011-12-27
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2338 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111224132329.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{93204C40-0E12-4B98-B227-9B3CF5EBC393} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111224132329.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun-x64: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;C:\Windows\system32\drivers\McPvDrv.sys --> C:\Windows\system32\drivers\McPvDrv.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 MOBKFilter;MOBKFilter;C:\Windows\system32\DRIVERS\MOBK.sys --> C:\Windows\system32\DRIVERS\MOBK.sys [?]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-12 249936]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-12-12 199272]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-12-12 208536]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 MOBKbackup;McAfee Online Backup;C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [2010-4-13 231224]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 136176]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-14 366152]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 136176]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-9-16 23536]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-28 01:37:09 -------- d-----w- C:\Users\Maggie\AppData\Local\Google
2011-12-23 00:33:51 -------- d-----w- C:\Program Files\NVIDIA Corporation
2011-12-23 00:29:43 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys
2011-12-23 00:19:47 -------- d-----w- C:\Windows\System32\SPReview
2011-12-23 00:18:47 -------- d-----w- C:\Windows\System32\EventProviders
2011-12-21 15:51:50 -------- d-----w- C:\Users\Maggie\jagexcache1
2011-12-21 04:51:40 -------- d-----w- C:\Users\Maggie\AppData\Local\CrashDumps
2011-12-20 02:48:15 -------- d-----w- C:\Users\Maggie\AppData\Local\McAfee Anti-Theft
2011-12-16 19:07:57 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-16 19:07:35 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-16 19:07:35 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-16 19:05:00 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-16 19:04:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-16 19:04:56 3141632 ----a-w- C:\Windows\System32\win32k.sys
2011-12-12 23:38:41 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-12-12 23:00:05 -------- d-----w- C:\Program Files (x86)\McAfeeMOBK
2011-12-12 22:59:56 66040 ----a-w- C:\Windows\System32\drivers\MOBK.sys
2011-12-12 22:59:55 -------- d-----w- C:\Program Files (x86)\McAfee Online Backup
2011-12-12 22:59:43 71800 ----a-w- C:\Windows\System32\drivers\McPvDrv.sys
2011-12-12 22:54:59 -------- d-----w- C:\Program Files (x86)\McAfee.com
2011-12-12 22:54:30 10248 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2011-12-12 22:54:29 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee
2011-12-12 22:53:53 284648 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2011-12-12 22:53:52 75808 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2011-12-12 22:53:52 65264 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2011-12-12 22:53:52 481768 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2011-12-12 22:53:52 229528 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2011-12-12 22:53:52 100912 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2011-12-12 22:53:21 -------- d-----w- C:\Program Files\Common Files\McAfee
2011-12-12 22:53:20 -------- d-----w- C:\Program Files\McAfee.com
2011-12-12 22:53:20 -------- d-----w- C:\Program Files\McAfee
2011-12-12 22:53:16 -------- d-----w- C:\Program Files (x86)\McAfee
2011-12-12 22:43:50 161168 ----a-w- C:\Windows\System32\mfevtps.exe
2011-12-11 18:33:12 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2011-12-11 17:01:42 -------- d-----w- C:\Users\Maggie\AppData\Roaming\Malwarebytes
2011-12-11 17:01:31 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-11 17:01:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-11 17:00:20 -------- d-----w- C:\Downloaded Software
2011-12-11 16:57:46 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4881FA84-9089-488B-BBE2-59803C591D65}\mpengine.dll
.
==================== Find3M ====================
.
2011-12-23 00:51:59 152064 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-12-23 00:51:58 175104 ----a-w- C:\Windows\System32\msclmd.dll
2011-12-12 22:41:06 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-15 20:29:56 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-11-10 11:54:13 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-11-05 05:26:29 1197568 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:23:10 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-11-05 04:35:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:34:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-11-05 04:07:32 482816 ----a-w- C:\Windows\System32\html.iec
2011-11-05 03:28:41 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-11-05 03:25:44 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:55:38 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-15 19:16:16 647080 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2011-10-15 19:16:16 160280 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 20:56:03.38 ===============

Attached File(s)

Attach1.txt (6.57K)
Number of downloads: 0

#4 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 27 December 2011 - 11:49 PM

Hello jagrim,

Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.
Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Are you able to Burn CD's and have access to a Usb Flash Drive?

2.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Close any open windows, including this one.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
TdssKIller log
Combofix.txt
Are you able to burn Cd's and have access to a Usb Flash Drive?
How is your machine running now?

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#5 jagrim

Member

Group: Members
Posts: 50
Joined: 28-July 07

Posted 28 December 2011 - 06:40 PM

Yes, I can burn CD's

Turned off Real Time Protection in Windows defender

Unable to run TDSSkiller.exe. Changed name and extension with same result. It gives the indication that it is about to run (spinning circle) then stops.

Was unable to load Combofix with this computer. Had to burn disc from other computer and copy to this one. All it did was extract files and make a folder that looks like the My Computer. Unable to attach it as it says I do not have required permission.

#6 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 28 December 2011 - 06:44 PM

Do you Have a USB Flash Drive?

Try this for Combofix. Rename it then run it in Safemode.

Download and Rename Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below. You must rename it 1234.scr before saving it to your desktop.

Link 1
Link 2

Posted Image

--------------------------------------------------------------------

Safe Mode with Networking

Networking

here

Double click on 1234.scr & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

This post has been edited by fireman4it: 28 December 2011 - 06:47 PM

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#7 jagrim

Member

Group: Members
Posts: 50
Joined: 28-July 07

Posted 28 December 2011 - 08:47 PM

Finally got it to run -- It took approximately 1-1/2 hr

The first screens told me that McAfee was running but when checking McAfee said everything was turned off.

Combofix log:

ComboFix 11-12-28.03 - Maggie 12/28/2011 18:18:32.1.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2967 [GMT -6:00]
Running from: G:\1234.scr
Command switches used :: /S
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\TotalRecipeSearch_14EI
c:\program files (x86)\TotalRecipeSearch_14EI\Installr\1.bin\14EZSETP.dll
c:\users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\windows\system32\java.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 01:18 . 2011-12-29 01:18 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4881FA84-9089-488B-BBE2-59803C591D65}\offreg.dll
2011-12-29 01:14 . 2011-12-29 01:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-29 01:14 . 2011-12-29 01:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-12-28 23:44 . 2011-12-28 23:44 -------- d-----w- c:\programdata\McAfee Anti-Theft
2011-12-28 01:37 . 2011-12-28 01:37 -------- d-----w- c:\users\Maggie\AppData\Local\Google
2011-12-23 00:33 . 2011-12-23 00:34 -------- d-----w- c:\program files\NVIDIA Corporation
2011-12-23 00:29 . 2009-10-10 03:17 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2011-12-23 00:19 . 2011-12-23 00:19 -------- d-----w- c:\windows\system32\SPReview
2011-12-23 00:18 . 2011-12-23 00:18 -------- d-----w- c:\windows\system32\EventProviders
2011-12-23 00:06 . 2011-12-23 00:06 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-22 23:41 . 2011-12-22 23:41 -------- d-----w- c:\program files\Google
2011-12-22 23:41 . 2011-12-22 23:42 -------- d-----w- c:\users\Administrator\AppData\Local\Google
2011-12-22 23:41 . 2011-12-22 23:41 -------- d-----w- c:\program files (x86)\Google
2011-12-21 15:51 . 2011-12-21 15:51 -------- d-----w- c:\users\Maggie\jagexcache1
2011-12-21 04:51 . 2011-12-21 04:54 -------- d-----w- c:\users\Maggie\AppData\Local\CrashDumps
2011-12-20 02:48 . 2011-12-20 02:48 -------- d-----w- c:\users\Maggie\AppData\Local\McAfee Anti-Theft
2011-12-16 19:07 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 19:07 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 19:07 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-16 19:05 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-16 19:04 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-16 19:04 . 2011-11-24 05:00 3141632 ----a-w- c:\windows\system32\win32k.sys
2011-12-12 23:38 . 2011-12-12 23:38 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-12 23:38 . 2011-12-12 23:38 -------- d-----w- c:\program files\Java
2011-12-12 22:59 . 2011-12-12 22:59 -------- dc----w- c:\windows\system32\DRVSTORE
2011-12-12 22:59 . 2010-04-14 02:10 66040 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-12-12 22:59 . 2011-12-12 22:59 -------- d-----w- c:\program files (x86)\McAfee Online Backup
2011-12-12 22:59 . 2011-04-11 20:29 71800 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-12 22:59 . 2011-12-12 22:59 -------- d-----w- c:\users\Administrator\AppData\Local\McAfee Anti-Theft
2011-12-12 22:54 . 2011-10-15 19:16 10248 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-12 22:54 . 2011-12-12 22:56 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2011-12-12 22:53 . 2011-10-15 19:16 284648 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-12-12 22:53 . 2011-10-15 19:16 75808 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-12-12 22:53 . 2011-10-15 19:16 65264 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-12-12 22:53 . 2011-10-15 19:16 481768 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-12-12 22:53 . 2011-10-15 19:16 229528 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-12 22:53 . 2011-10-15 19:16 100912 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-12 22:53 . 2011-12-12 22:55 -------- d-----w- c:\program files\Common Files\McAfee
2011-12-12 22:53 . 2011-12-12 23:00 -------- d-----w- c:\program files\McAfee
2011-12-12 22:53 . 2011-12-28 01:36 -------- d-----w- c:\program files (x86)\McAfee
2011-12-12 22:45 . 2011-12-12 22:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2011-12-12 22:43 . 2011-10-18 20:32 161168 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-12 22:43 . 2011-12-13 02:56 -------- d-----w- c:\programdata\McAfee
2011-12-12 22:41 . 2011-12-12 22:41 -------- d-----w- c:\windows\system32\Macromed
2011-12-11 18:33 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-12-11 17:01 . 2011-12-11 17:01 -------- d-----w- c:\users\Maggie\AppData\Roaming\Malwarebytes
2011-12-11 17:01 . 2011-12-11 17:01 -------- d-----w- c:\programdata\Malwarebytes
2011-12-11 17:01 . 2011-12-15 02:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-11 17:00 . 2011-12-11 17:00 -------- d-----w- C:\Downloaded Software
2011-12-11 16:57 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4881FA84-9089-488B-BBE2-59803C591D65}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-23 00:51 . 2009-07-14 02:36 152064 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-12-23 00:51 . 2009-07-14 02:36 175104 ----a-w- c:\windows\system32\msclmd.dll
2011-12-12 22:41 . 2011-09-09 15:25 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-15 20:29 . 2011-08-05 23:06 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 11:54 . 2011-06-21 07:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-10-15 19:16 . 2011-03-13 17:20 647080 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2011-03-13 17:20 160280 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 03:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-22 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-09-17 23536]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-28 249936]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-28 249936]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-28 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 208536]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 MOBKbackup;McAfee Online Backup;c:\program files (x86)\McAfee Online Backup\MOBKbackup.exe [2010-04-14 231224]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 23:41]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 23:41]
.
2011-12-22 c:\windows\Tasks\HPCeeScheduleForAdministrator.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
2011-11-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 02:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 02:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 02:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-15 610360]
"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 436384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
.
**************************************************************************
.
Completion time: 2011-12-28 19:40:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-29 01:40
.
Pre-Run: 558,570,921,984 bytes free
Post-Run: 558,689,779,712 bytes free
.
- - End Of File - - 496A8A0707FE613C56A17BE1952F1A3E

#8 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 28 December 2011 - 09:55 PM

How is your machine running now?

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#9 jagrim

Member

Group: Members
Posts: 50
Joined: 28-July 07

Posted 28 December 2011 - 10:22 PM

Still getting redirects from search

#10 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 29 December 2011 - 12:02 AM

Hello,

Do you have a USB Flash Drive? I need to know this answer.

1.
Are you connected to the internet through a router? If so we need to reset the router.

How to Reset your Router.

2.

Download RogueKiller on the desktop
Close all the running processes
Under Vista/Seven, right click -> Run as Administrator
Otherwise just double-click on RogueKiller.exe
When prompted, type 1 (SCAN) then Enter
A report should open, give its content to your helper. (RKreport could also be found next to the executable)
If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

3.
Try and run aswmbr again.

4.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Things to include in your next reply::
Do you have a USB Flash Drive?
RogueKiller log
aswMBR log, if you can get it to run?
MBRcheck log
Still having redirects?

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#11 jagrim

Member

Group: Members
Posts: 50
Joined: 28-July 07

Posted 29 December 2011 - 03:21 PM

Yes, I have a USB Flash Drive

Yes, I am still getting redirects

RogueKiller log:
RogueKiller V6.2.1 [12/28/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Maggie [Admin rights]
Mode: Scan -- Date : 12/29/2011 12:40:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 362d444634fc1f85aa21345369b894d0
[BSP] 8e9242ffacc944009659cfd933c27890 : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 104 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 206848 | Size: 628322 Mo
3 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 1227399168 | Size: 11705 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

aswMBR log:
aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2011-12-29 12:44:10
-----------------------------
12:44:10.209 OS Version: Windows x64 6.1.7600
12:44:10.209 Number of processors: 2 586 0x602
12:44:10.209 ComputerName: MAGGIE-PC UserName: Maggie
12:44:11.800 Initialize success
12:47:17.222 AVAST engine defs: 11122900
12:48:00.418 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
12:48:00.418 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
12:48:00.450 Disk 0 MBR read successfully
12:48:00.465 Disk 0 MBR scan
12:48:00.481 Disk 0 unknown MBR code
12:48:00.496 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
12:48:00.528 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 599215 MB offset 206848
12:48:00.590 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11163 MB offset 1227399168
12:48:00.606 Service scanning
12:48:02.088 Modules scanning
12:48:02.088 Disk 0 trace - called modules:
12:48:02.103 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800462c334]<<
12:48:02.103 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800460d060]
12:48:02.119 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa80036f5db0]
12:48:02.119 5 ACPI.sys[fffff88000f1a781] -> nt!IofCallDriver -> \Device\0000005a[0xfffffa80041b73a0]
12:48:02.134 \Driver\nvstor64[0xfffffa80041ade70] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800462c334
12:48:04.942 AVAST engine scan C:\
14:00:25.096 Scan finished successfully
14:13:30.432 Disk 0 MBR has been saved successfully to "C:\Users\Maggie\Desktop\MBR.dat"
14:13:30.432 The log file has been saved successfully to "C:\Users\Maggie\Desktop\aswMBR.txt"

MBRcheck log:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: PEGATRON CORPORATION
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: HP-Pavilion
System Product Name: AY643AA-ABA s5310f
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 148):
0x02E52000 \SystemRoot\system32\ntoskrnl.exe
0x02E09000 \SystemRoot\system32\hal.dll
0x00BD1000 \SystemRoot\system32\kdcom.dll
0x00C6A000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00C77000 \SystemRoot\system32\PSHED.dll
0x00C8B000 \SystemRoot\system32\CLFS.SYS
0x00CE9000 \SystemRoot\system32\CI.dll
0x00E5C000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F00000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F0F000 \SystemRoot\system32\drivers\ACPI.sys
0x00F66000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00F6F000 \SystemRoot\system32\drivers\msisadrv.sys
0x00F79000 \SystemRoot\system32\drivers\pci.sys
0x00FAC000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00FB9000 \SystemRoot\System32\drivers\partmgr.sys
0x00FCE000 \SystemRoot\system32\drivers\volmgr.sys
0x00E00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00FE3000 \SystemRoot\System32\drivers\mountmgr.sys
0x00DA9000 \SystemRoot\system32\DRIVERS\nvstor64.sys
0x00C00000 \SystemRoot\system32\DRIVERS\storport.sys
0x00DE8000 \SystemRoot\system32\drivers\amdxata.sys
0x010DA000 \SystemRoot\system32\drivers\fltmgr.sys
0x01126000 \SystemRoot\system32\drivers\fileinfo.sys
0x0113A000 \SystemRoot\system32\drivers\mfehidk.sys
0x01256000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01000000 \SystemRoot\System32\Drivers\msrpc.sys
0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0105E000 \SystemRoot\System32\Drivers\cng.sys
0x0121A000 \SystemRoot\System32\drivers\pcw.sys
0x0122B000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01415000 \SystemRoot\system32\drivers\ndis.sys
0x01507000 \SystemRoot\system32\drivers\NETIO.SYS
0x01567000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01601000 \SystemRoot\System32\drivers\tcpip.sys
0x01592000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x018CE000 \SystemRoot\system32\drivers\mfewfpk.sys
0x01912000 \SystemRoot\system32\drivers\volsnap.sys
0x0195E000 \SystemRoot\System32\Drivers\spldr.sys
0x01966000 \SystemRoot\System32\drivers\rdyboost.sys
0x019A0000 \SystemRoot\System32\Drivers\mup.sys
0x019B2000 \SystemRoot\system32\drivers\McPvDrv.sys
0x019CA000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01800000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0183A000 \SystemRoot\system32\DRIVERS\disk.sys
0x01850000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x03D0A000 \SystemRoot\system32\drivers\cdrom.sys
0x03D34000 \SystemRoot\system32\DRIVERS\MOBK.sys
0x03D4A000 \SystemRoot\System32\Drivers\Null.SYS
0x03D53000 \SystemRoot\System32\Drivers\Beep.SYS
0x03D5A000 \SystemRoot\System32\drivers\vga.sys
0x03D68000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03D8D000 \SystemRoot\System32\drivers\watchdog.sys
0x03D9D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03DA6000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03DAF000 \SystemRoot\system32\drivers\rdprefmp.sys
0x03DB8000 \SystemRoot\System32\Drivers\Msfs.SYS
0x03DC3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x03DD4000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03DF2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x03C00000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03E12000 \SystemRoot\system32\drivers\afd.sys
0x03E9B000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03EA4000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03ECA000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
0x03EDB000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03EEA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03F05000 \SystemRoot\system32\drivers\termdd.sys
0x03F19000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03F6A000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03F76000 \SystemRoot\system32\drivers\mssmbios.sys
0x03F81000 \SystemRoot\System32\drivers\discache.sys
0x03F90000 \SystemRoot\System32\Drivers\dfsc.sys
0x03FAE000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03FBF000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03FE5000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x03E00000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x03C45000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x03C9B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x01898000 \SystemRoot\system32\drivers\HDAudBus.sys
0x040AA000 \SystemRoot\system32\DRIVERS\nvmf6264.sys
0x0FE61000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x10B9A000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x040FC000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x10B9C000 \SystemRoot\System32\drivers\dxgmms1.sys
0x10BE2000 \SystemRoot\system32\drivers\CompositeBus.sys
0x0FE00000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x0FE16000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x0FE3A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04000000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0FE46000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0402F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04050000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0406A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x04079000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x10BF2000 \SystemRoot\system32\drivers\swenum.sys
0x042AB000 \SystemRoot\system32\drivers\ks.sys
0x042EE000 \SystemRoot\system32\drivers\umbus.sys
0x04300000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0435A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x048E0000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x04BA1000 \SystemRoot\system32\drivers\portcls.sys
0x04BDE000 \SystemRoot\system32\drivers\drmk.sys
0x04800000 \SystemRoot\system32\drivers\ksthunk.sys
0x04806000 \SystemRoot\system32\drivers\mfeavfk.sys
0x0483C000 \SystemRoot\system32\drivers\mfefirek.sys
0x048B0000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x048BE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x048D7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x0436F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04371000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x0437F000 \SystemRoot\System32\Drivers\crashdmp.sys
0x0438D000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x04397000 \SystemRoot\System32\Drivers\dump_nvstor64.sys
0x043D6000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x043E9000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x04200000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x000E0000 \SystemRoot\System32\win32k.sys
0x0421B000 \SystemRoot\System32\drivers\Dxapi.sys
0x04227000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00500000 \SystemRoot\System32\TSDDD.dll
0x00760000 \SystemRoot\System32\cdd.dll
0x008C0000 \SystemRoot\System32\ATMFD.DLL
0x04235000 \SystemRoot\system32\drivers\luafv.sys
0x04258000 \SystemRoot\system32\drivers\WudfPf.sys
0x04279000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0428E000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03CAC000 \SystemRoot\System32\Drivers\fastfat.SYS
0x05075000 \SystemRoot\system32\drivers\HTTP.sys
0x0513D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0515B000 \SystemRoot\System32\drivers\mpsdrv.sys
0x05173000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x051A0000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x05000000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x060AA000 \SystemRoot\system32\drivers\peauth.sys
0x06150000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0615B000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x06188000 \SystemRoot\System32\drivers\tcpipreg.sys
0x06000000 \SystemRoot\System32\DRIVERS\srv2.sys
0x06270000 \SystemRoot\System32\DRIVERS\srv.sys
0x0632B000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x0635C000 \SystemRoot\system32\drivers\cfwids.sys
0x06226000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
0x0636B000 \SystemRoot\system32\drivers\mfeapfk.sys
0x06391000 \??\C:\Users\Maggie\AppData\Local\Temp\aswMBR.sys
0x77530000 \Windows\System32\ntdll.dll
0x480E0000 \Windows\System32\smss.exe
0xFF850000 \Windows\System32\apisetschema.dll
0xFFF90000 \Windows\System32\autochk.exe

Processes (total 59):
0 System Idle Process
4 System
292 C:\Windows\System32\smss.exe
476 csrss.exe
528 C:\Windows\System32\wininit.exe
552 csrss.exe
596 C:\Windows\System32\services.exe
612 C:\Windows\System32\lsass.exe
620 C:\Windows\System32\lsm.exe
700 C:\Windows\System32\winlogon.exe
784 C:\Windows\System32\svchost.exe
848 C:\Windows\System32\nvvsvc.exe
888 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
108 C:\Windows\System32\svchost.exe
376 C:\Windows\System32\svchost.exe
904 C:\Windows\System32\svchost.exe
1080 C:\Windows\System32\nvvsvc.exe
1124 C:\Windows\System32\svchost.exe
1244 C:\Windows\System32\spoolsv.exe
1296 C:\Windows\System32\svchost.exe
1400 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
1432 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1508 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
1532 C:\Windows\System32\mfevtps.exe
1600 C:\Windows\System32\svchost.exe
1652 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
1680 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
1064 C:\Windows\System32\rundll32.exe
468 C:\Windows\SysWOW64\rundll32.exe
2316 WUDFHost.exe
2436 C:\Windows\System32\svchost.exe
2848 C:\Windows\System32\taskhost.exe
2928 C:\Windows\System32\dwm.exe
2984 C:\Windows\explorer.exe
1544 C:\Windows\System32\svchost.exe
392 C:\Windows\System32\taskeng.exe
736 C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
3020 C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
2784 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
1556 C:\Program Files\McAfee\MAT\McPvTray.exe
2508 C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
1860 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
1012 C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
972 C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
2916 C:\Program Files\McAfee.com\Agent\mcagent.exe
380 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
3108 C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
3604 C:\Windows\System32\svchost.exe
4008 C:\Windows\System32\SearchIndexer.exe
4348 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
4988 C:\Windows\System32\wuauclt.exe
3236 C:\Program Files (x86)\Ask.com\Updater\Updater.exe
3972 C:\Windows\System32\SearchProtocolHost.exe
4700 C:\Windows\System32\SearchFilterHost.exe
3600 C:\Windows\System32\SearchProtocolHost.exe
2576 C:\Users\Maggie\Desktop\MBRCheck.exe
3784 C:\Windows\System32\conhost.exe
4404 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000092`51400000 (NTFS)

PhysicalDrive0 Model Number: WDC WD6400AAKS-65A7B, Rev: 01.0

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 49CF8AC01301BBB6D2050EFF34AAB701A3F068C9

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#12 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 29 December 2011 - 09:57 PM

Re-Run MBRCheck.exe

Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Please push the 'Y' key and then press Enter
When program ask you Enter your choice: enter
[1] Dump the MBR of a physical disk to file.
and press the Enter key
Next it will say Enter the physical disk number to dump <0-99, -1 to exit>
Type 0 and press Enter
The program will ask for the file name to dump to, type dump.dat and Press Enter. You should see Dumped successfully.
Next, type -1 and press Enter. Next press Enter again, and the program will exit.
Save it to your desktop then attach the resultant output in your next reply.

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click

#13 jagrim

Member

Group: Members
Posts: 50
Joined: 28-July 07

Posted 29 December 2011 - 10:12 PM

MBRCheck dump file

I renamed the dump.dat to dump.txt to be able to attach.

Attached File(s)

dump.txt (512bytes)
Number of downloads: 2

#14 fireman4it

Bleepin' Fireman

Group: Malware Response Team
Posts: 8,316
Joined: 24-May 08
Gender:Male
Location:Bement, ILL

Posted 29 December 2011 - 11:36 PM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
After it has completed do not choose to reboot the clean computer simply close the installer
Next download http://noahdfear.net/downloads/dumpit to your USB
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
There should be a file dumpit
Double-click dumpit
When dumpit is done, it creates a file called mbr.zip on the flash drive.