Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected:browser re-directs services.exe at 100% cpu


  • This topic is locked This topic is locked
29 replies to this topic

#1 bdog676

bdog676

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 28 March 2009 - 04:00 PM

I'm not finding anything with malwarebytes or ad-aware. I am having browser re-directs when clicking links. I also have services.exe at 100% cpu usage. Thanks for the help. :thumbup2:




DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 16:52:06.34 on Sat 03/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2514 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {70DE7956-479D-4EB7-8641-2B45774C350E} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\rocket~1.lnk - c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\transbar.lnk - c:\windows\bricopacks\vista inspirat 2\transbar\TransBar.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ubericon.lnk - c:\windows\bricopacks\vista inspirat 2\ubericon\UberIcon Manager.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\y'zsha~1.lnk - c:\windows\bricopacks\vista inspirat 2\yzshadow\YzShadow.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231110024546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231110005187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: okmgpl.dll ,c:\windows\system32\pusupuro.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\pusupuro.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kzv0wh8p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kzv0wh8p.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-30 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-16 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-16 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-3-16 144704]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-18 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-16 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-16 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-16 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-16 40488]
S2 gupdate1c98d8abaa6a018;Google Update Service (gupdate1c98d8abaa6a018);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-16 33832]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-20 44928]

=============== Created Last 30 ================

2009-03-28 16:32 <DIR> --d----- c:\program files\Trend Micro
2009-03-28 15:52 <DIR> --d----- c:\program files\common files\HP
2009-03-28 15:42 164,805 a------- c:\windows\hpoins21.dat
2009-03-28 15:42 7,262 -------- c:\windows\hpomdl21.dat
2009-03-27 10:10 <DIR> --d----- c:\docume~1\owner\applic~1\RetroShare
2009-03-27 10:10 <DIR> --d----- c:\program files\RetroShare
2009-03-24 20:09 <DIR> --d----- c:\program files\Alliance
2009-03-22 12:43 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-22 12:39 61,440 a------- c:\windows\system32\drivers\olsnu.sys
2009-03-22 12:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-22 12:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 12:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-22 08:23 124,928 -------- c:\windows\system32\okmgpl.dll
2009-03-22 08:22 124,928 a--sh--- c:\windows\system32\ifcyvp.dll
2009-03-21 18:22 124,928 a--sh--- c:\windows\system32\qxustr.dll
2009-03-16 16:50 11,177 a------- c:\windows\system32\Config.MPF
2009-03-16 16:50 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-16 16:47 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-16 16:47 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-16 16:47 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-16 16:47 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-16 16:47 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-16 16:47 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-16 16:46 <DIR> --d----- c:\program files\McAfee.com
2009-03-16 16:46 <DIR> --d----- c:\program files\common files\McAfee
2009-03-16 16:14 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-16 16:13 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-03-16 16:13 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-03-16 16:13 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-03-22 08:22 124,928 a--sh--- c:\windows\system32\bujusafu.dll
2009-03-21 18:22 124,928 a--sh--- c:\windows\system32\muwatibi.dll
2009-03-21 18:22 84,992 a--sh--- c:\windows\system32\hivunote.dll
2009-03-06 20:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-06 20:27 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-12 16:17 1,885,464 a------- c:\windows\system32\AutoPartNt.exe
2009-02-12 16:07 441,760 a------- c:\windows\system32\drivers\timntr.sys
2009-02-12 16:07 44,384 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-02-12 16:07 132,224 a------- c:\windows\system32\drivers\snapman.sys
2009-02-12 16:07 368,480 a------- c:\windows\system32\drivers\tdrpman.sys
2009-02-11 19:55 5,370 a------- c:\windows\BricoPackFoldersDelete.cmd
2009-02-11 19:55 218,624 a------- c:\windows\system32\uxtheme.dll
2009-02-11 19:55 72,066 a------- c:\windows\BricoPackUninst.cmd
2009-01-31 12:59 43,698 a------- c:\windows\system32\xvid-uninstall.exe
2009-01-25 17:10 179,200 a------- c:\windows\system32\xvidvfw.dll
2009-01-08 19:01 629,760 a------- c:\windows\system32\xvidcore.dll
2009-01-07 12:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-07-03 22:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070320080704\index.dat

============= FINISH: 16:53:08.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 bdog676

bdog676
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 30 March 2009 - 08:35 PM

I fixed the services cpu usage. It was trying to find a network printer. The browser redirects are when clicking on google results.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:02 PM

Posted 06 April 2009 - 11:13 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 bdog676

bdog676
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 06 April 2009 - 03:26 PM

I am having problems clicking google search results using firefox. When I click a link, I am redirected to an advertising site. This doesn't seem to happen when I use IE. Thanks for the help.






DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 16:06:29.95 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2578 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {70DE7956-479D-4EB7-8641-2B45774C350E} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\rocket~1.lnk - c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\transbar.lnk - c:\windows\bricopacks\vista inspirat 2\transbar\TransBar.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ubericon.lnk - c:\windows\bricopacks\vista inspirat 2\ubericon\UberIcon Manager.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\y'zsha~1.lnk - c:\windows\bricopacks\vista inspirat 2\yzshadow\YzShadow.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231110024546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231110005187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: okmgpl.dll ,c:\windows\system32\pusupuro.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\pusupuro.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kzv0wh8p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kzv0wh8p.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-30 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-16 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-16 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-3-16 144704]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-18 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-16 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-16 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-16 33832]
S2 gupdate1c98d8abaa6a018;Google Update Service (gupdate1c98d8abaa6a018);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-16 40488]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-20 44928]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-16 695624]

=============== Created Last 30 ================

2009-04-03 12:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-03 12:22 1,409 a------- c:\windows\QTFont.for
2009-03-30 14:46 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-28 16:32 <DIR> --d----- c:\program files\Trend Micro
2009-03-28 15:52 <DIR> --d----- c:\program files\common files\HP
2009-03-28 15:42 164,805 a------- c:\windows\hpoins21.dat
2009-03-28 15:42 7,262 -------- c:\windows\hpomdl21.dat
2009-03-27 10:10 <DIR> --d----- c:\docume~1\owner\applic~1\RetroShare
2009-03-27 10:10 <DIR> --d----- c:\program files\RetroShare
2009-03-24 20:09 <DIR> --d----- c:\program files\Alliance
2009-03-22 12:43 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-22 12:39 61,440 a------- c:\windows\system32\drivers\olsnu.sys
2009-03-22 12:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-22 12:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 12:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-22 08:23 124,928 -------- c:\windows\system32\okmgpl.dll
2009-03-22 08:22 124,928 a--sh--- c:\windows\system32\ifcyvp.dll
2009-03-21 18:22 124,928 a--sh--- c:\windows\system32\qxustr.dll
2009-03-16 16:50 11,667 a------- c:\windows\system32\Config.MPF
2009-03-16 16:50 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-16 16:47 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-16 16:47 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-16 16:47 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-16 16:47 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-16 16:47 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-16 16:47 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-16 16:46 <DIR> --d----- c:\program files\McAfee.com
2009-03-16 16:46 <DIR> --d----- c:\program files\common files\McAfee
2009-03-16 16:14 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-16 16:13 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-03-16 16:13 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-03-16 16:13 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-03-30 19:53 96,384 a------- c:\windows\system32\drivers\sptddrv1.sys
2009-03-22 08:22 124,928 a--sh--- c:\windows\system32\bujusafu.dll
2009-03-21 18:22 124,928 a--sh--- c:\windows\system32\muwatibi.dll
2009-03-21 18:22 84,992 a--sh--- c:\windows\system32\hivunote.dll
2009-03-06 20:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-06 20:27 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-12 16:17 1,885,464 a------- c:\windows\system32\AutoPartNt.exe
2009-02-12 16:07 441,760 a------- c:\windows\system32\drivers\timntr.sys
2009-02-12 16:07 44,384 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-02-12 16:07 132,224 a------- c:\windows\system32\drivers\snapman.sys
2009-02-12 16:07 368,480 a------- c:\windows\system32\drivers\tdrpman.sys
2009-02-11 19:55 5,370 a------- c:\windows\BricoPackFoldersDelete.cmd
2009-02-11 19:55 218,624 a------- c:\windows\system32\uxtheme.dll
2009-02-11 19:55 72,066 a------- c:\windows\BricoPackUninst.cmd
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-31 12:59 43,698 a------- c:\windows\system32\xvid-uninstall.exe
2009-01-25 17:10 179,200 a------- c:\windows\system32\xvidvfw.dll
2009-01-08 19:01 629,760 a------- c:\windows\system32\xvidcore.dll
2009-01-07 12:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-07-03 22:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070320080704\index.dat

============= FINISH: 16:06:52.19 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 06 April 2009 - 04:09 PM

Hello.

I see a few bad things we can remove that is related to the infection vundo. Let's see what we can do :thumbup2:

Run GooredFix using Option2 (Removal)

Please download GooredFix and save it to your Desktop.
Alternative Download Mirror #2

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Please double-click Goored.exe on your Desktop to run it.
  • A window will appear, please Select 2. (Fix Goored) by typing 2 and pressing Enter.
  • Type Y at the prompt and press Enter. The removal process will begin
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop (Goored.txt)

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-GooredFix log
-Combofix log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 bdog676

bdog676
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 06 April 2009 - 05:45 PM

Hello. Thank you for your help. Here are the requested logs:

gooredlog:

GooredFix v1.92 by jpshortstuff
Log created at 18:00 on 06/04/2009 running Option #2 (Owner)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{9E10DAF2-D8FE-4FDB-A595-83958E7D5CD9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


combofix log:

ComboFix 09-04-04.01 - Owner 2009-04-06 18:04:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2764 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\AutoRun.inf
c:\windows\system32\bujusafu.dll
c:\windows\system32\ifcyvp.dll
c:\windows\system32\muwatibi.dll
c:\windows\system32\okmgpl.dll
c:\windows\system32\qxustr.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-03 12:22 . 2009-04-03 12:22 54,156 --ah----- c:\windows\QTFont.qfn
2009-04-03 12:22 . 2009-04-03 12:22 1,409 --a------ c:\windows\QTFont.for
2009-03-30 14:46 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-28 16:32 . 2009-03-28 16:32 <DIR> d-------- c:\program files\Trend Micro
2009-03-28 15:52 . 2009-03-28 15:52 <DIR> d-------- c:\program files\Common Files\HP
2009-03-28 15:42 . 2009-03-28 15:57 164,805 --a------ c:\windows\hpoins21.dat
2009-03-28 15:42 . 2008-01-23 21:34 7,262 --------- c:\windows\hpomdl21.dat
2009-03-27 10:10 . 2009-03-27 10:11 <DIR> d-------- c:\program files\RetroShare
2009-03-27 10:10 . 2009-03-28 10:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\RetroShare
2009-03-24 20:09 . 2009-03-28 14:32 <DIR> d-------- c:\program files\Alliance
2009-03-22 12:43 . 2009-03-22 12:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-22 12:39 . 2009-03-22 12:39 61,440 --a------ c:\windows\system32\drivers\olsnu.sys
2009-03-22 12:34 . 2009-03-26 20:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 12:34 . 2009-03-22 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 12:34 . 2009-03-22 12:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-22 12:34 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 12:34 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 16:50 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-03-16 16:50 . 2009-04-06 18:08 11,667 --a------ c:\windows\system32\Config.MPF
2009-03-16 16:47 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-16 16:47 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-16 16:47 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-16 16:47 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-16 16:47 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-16 16:47 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-03-16 16:46 . 2009-03-16 16:46 <DIR> d-------- c:\program files\McAfee.com
2009-03-16 16:46 . 2009-03-16 16:47 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-16 16:14 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-16 16:13 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-16 16:13 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-16 16:13 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-05 19:13 --------- d-----w c:\documents and settings\Owner\Application Data\NewsBin
2009-04-05 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-04 14:47 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-04-01 01:13 --------- d-----w c:\program files\Winamp
2009-03-30 23:53 96,384 ----a-w c:\windows\system32\drivers\sptddrv1.sys
2009-03-30 19:01 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-30 18:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-28 21:04 --------- d-----w c:\program files\HP
2009-03-28 18:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-19 23:26 --------- d-----w c:\program files\mIRC
2009-03-18 21:04 --------- d-----w c:\program files\McAfee
2009-03-16 20:50 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-08 15:44 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-03-07 00:27 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-22 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-02-22 04:01 --------- d-----w c:\program files\JumpStart
2009-02-22 04:01 --------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-02-13 23:48 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-13 23:48 --------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-02-13 03:26 --------- d-----w c:\program files\Google
2009-02-12 20:07 441,760 ----a-w c:\windows\system32\drivers\timntr.sys
2009-02-12 20:07 44,384 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-02-12 20:07 368,480 ----a-w c:\windows\system32\drivers\tdrpman.sys
2009-02-12 20:07 132,224 ----a-w c:\windows\system32\drivers\snapman.sys
2009-02-12 20:07 --------- d-----w c:\program files\Common Files\Seagate
2009-02-12 20:07 --------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-02-12 20:06 --------- d-----w c:\program files\Seagate
2009-02-11 23:55 72,066 ----a-w c:\windows\BricoPackUninst.cmd
2009-02-11 23:55 5,370 ----a-w c:\windows\BricoPackFoldersDelete.cmd
2009-02-09 04:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-09 04:01 --------- d-----w c:\program files\Microsoft Games
2009-02-09 03:25 --------- d-----w c:\program files\BitLord
2009-02-06 23:41 --------- d-----w c:\program files\SimpleDivX
2008-07-04 02:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070320080704\index.dat
.

------- Sigcheck -------

2008-04-13 20:12 975872 561a50497324f378e30f55d09b4e1258 c:\windows\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-10 15:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 975872 561a50497324f378e30f55d09b4e1258 c:\windows\ServicePackFiles\i386\explorer.exe

2008-10-16 15:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-10-16 15:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
2008-10-16 15:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 65536]
UberIcon.lnk - c:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]
Y'z Shadow.lnk - c:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=okmgpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2008-06-24 21:06 904768 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-03-06 20:27 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2008-06-24 20:52 1325848 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-06 00:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2005-07-22 22:40 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-10-12 16:30 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-02-07 09:36 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-02-07 09:40 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-02-07 09:39 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--a------ 2005-10-27 20:17 8740864 c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 18:12 582992 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 20:16 1121792 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2009-01-15 09:19 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 12:32 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2009-01-15 09:19 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-03-17 22:24 184320 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
--a------ 2005-08-27 09:09 139264 c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 03:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-09 11:49 966656 c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
--a------ 2008-06-24 20:56 136472 c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-02-12 18:07 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2009-01-15 09:19 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133312070\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133312070\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133312070\\EE\\aim6.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"5555:TCP"= 5555:TCP:xbox
"7777:UDP"= 7777:UDP:xbox2
"3932:TCP"= 3932:TCP:xbox3

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-30 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [2008-06-24 431384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-18 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 gupdate1c98d8abaa6a018;Google Update Service (gupdate1c98d8abaa6a018);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-20 44928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fdf1cb1-432e-11d8-9157-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4d2f921-6139-11da-93a1-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 23:11]

2009-04-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 23:25]

2009-03-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-34ea9baf - c:\windows\system32\dapumuwa.dll
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-CPM37d9a833 - c:\windows\system32\saletoli.dll
MSConfigStartUp-lutotizozo - c:\windows\system32\hukovefo.dll
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-Norton Ghost 10 - c:\program files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-SysTrayApp - c:\program files\IDT\WDM\sttray.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
MSConfigStartUp-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gatewaybiz.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kzv0wh8p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kzv0wh8p.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 18:11:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4118426621-930993679-4286917034-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1268)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\RMSvc.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-06 18:15:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 22:14:57

Pre-Run: 681,668,173,824 bytes free
Post-Run: 681,691,029,504 bytes free

349

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 06 April 2009 - 06:01 PM

Hello.

The redirects should be gone now. Check and see if the redirect are gone after running Combofix and the machine reboots.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4d2f921-6139-11da-93a1-806d6172696f}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fdf1cb1-432e-11d8-9157-806d6172696f}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Combofix log
-MBAM log
-How's your computer running? Do you still have the redirects?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 bdog676

bdog676
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 06 April 2009 - 07:53 PM

Hello and again thanks for the help. I haven't had any redirects and everything seems to be running ok. :thumbup2: Here are the logs requested.

Combofix:

ComboFix 09-04-04.01 - Owner 2009-04-06 20:26:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2781 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-06 18:24 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-04-03 12:22 . 2009-04-03 12:22 54,156 --ah----- c:\windows\QTFont.qfn
2009-04-03 12:22 . 2009-04-03 12:22 1,409 --a------ c:\windows\QTFont.for
2009-03-30 14:46 . 2009-01-09 15:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-28 16:32 . 2009-03-28 16:32 <DIR> d-------- c:\program files\Trend Micro
2009-03-28 15:52 . 2009-03-28 15:52 <DIR> d-------- c:\program files\Common Files\HP
2009-03-28 15:42 . 2009-03-28 15:57 164,805 --a------ c:\windows\hpoins21.dat
2009-03-28 15:42 . 2008-01-23 21:34 7,262 --------- c:\windows\hpomdl21.dat
2009-03-27 10:10 . 2009-03-27 10:11 <DIR> d-------- c:\program files\RetroShare
2009-03-27 10:10 . 2009-03-28 10:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\RetroShare
2009-03-24 20:09 . 2009-03-28 14:32 <DIR> d-------- c:\program files\Alliance
2009-03-22 12:43 . 2009-03-22 12:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-22 12:39 . 2009-03-22 12:39 61,440 --a------ c:\windows\system32\drivers\olsnu.sys
2009-03-22 12:34 . 2009-03-26 20:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 12:34 . 2009-03-22 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 12:34 . 2009-03-22 12:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-22 12:34 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 12:34 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 16:50 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-03-16 16:50 . 2009-04-06 20:28 11,635 --a------ c:\windows\system32\Config.MPF
2009-03-16 16:47 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-16 16:47 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-16 16:47 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-16 16:47 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-16 16:47 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-16 16:47 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-03-16 16:46 . 2009-03-16 16:46 <DIR> d-------- c:\program files\McAfee.com
2009-03-16 16:46 . 2009-03-16 16:47 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-16 16:14 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-16 16:13 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-16 16:13 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-16 16:13 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-05 19:13 --------- d-----w c:\documents and settings\Owner\Application Data\NewsBin
2009-04-05 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-04 14:47 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-04-01 01:13 --------- d-----w c:\program files\Winamp
2009-03-30 23:53 96,384 ----a-w c:\windows\system32\drivers\sptddrv1.sys
2009-03-30 19:01 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-30 18:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-28 21:04 --------- d-----w c:\program files\HP
2009-03-28 18:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-19 23:26 --------- d-----w c:\program files\mIRC
2009-03-18 21:04 --------- d-----w c:\program files\McAfee
2009-03-16 20:50 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-08 15:44 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-03-07 00:27 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-22 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-02-22 04:01 --------- d-----w c:\program files\JumpStart
2009-02-22 04:01 --------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-02-13 23:48 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-13 23:48 --------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-02-13 03:26 --------- d-----w c:\program files\Google
2009-02-12 20:07 441,760 ----a-w c:\windows\system32\drivers\timntr.sys
2009-02-12 20:07 44,384 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-02-12 20:07 368,480 ----a-w c:\windows\system32\drivers\tdrpman.sys
2009-02-12 20:07 132,224 ----a-w c:\windows\system32\drivers\snapman.sys
2009-02-12 20:07 --------- d-----w c:\program files\Common Files\Seagate
2009-02-12 20:07 --------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-02-12 20:06 --------- d-----w c:\program files\Seagate
2009-02-11 23:55 72,066 ----a-w c:\windows\BricoPackUninst.cmd
2009-02-11 23:55 5,370 ----a-w c:\windows\BricoPackFoldersDelete.cmd
2009-02-09 04:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-09 04:01 --------- d-----w c:\program files\Microsoft Games
2009-02-09 03:25 --------- d-----w c:\program files\BitLord
2008-07-04 02:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070320080704\index.dat
.

------- Sigcheck -------

2008-04-13 20:12 975872 561a50497324f378e30f55d09b4e1258 c:\windows\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-10 15:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 975872 561a50497324f378e30f55d09b4e1258 c:\windows\ServicePackFiles\i386\explorer.exe

2008-10-16 15:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-10-16 15:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
2008-10-16 15:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-06_18.13.45.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-26 09:16:24 127,208 ----a-w c:\windows\system32\mucltui.dll
+ 2008-10-16 18:06:48 268,648 ----a-w c:\windows\system32\mucltui.dll
+ 2009-04-07 00:30:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b70.dat
+ 2009-04-07 00:30:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_c6c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 65536]
UberIcon.lnk - c:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 180224]
Y'z Shadow.lnk - c:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2008-06-24 21:06 904768 c:\program files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-03-06 20:27 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2008-06-24 20:52 1325848 c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-06 00:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2005-07-22 22:40 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-10-12 16:30 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-02-07 09:36 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-02-07 09:40 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-02-07 09:39 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
--a------ 2005-10-27 20:17 8740864 c:\program files\Intel Audio Studio\IntelAudioStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-11-01 18:12 582992 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 20:16 1121792 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2009-01-15 09:19 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 12:32 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2009-01-15 09:19 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-03-17 22:24 184320 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
--a------ 2005-08-27 09:09 139264 c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 03:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-09 11:49 966656 c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
--a------ 2008-06-24 20:56 136472 c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-02-12 18:07 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2009-01-15 09:19 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133312070\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133312070\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133312070\\EE\\aim6.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"5555:TCP"= 5555:TCP:xbox
"7777:UDP"= 7777:UDP:xbox2
"3932:TCP"= 3932:TCP:xbox3

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-30 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [2008-06-24 431384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-18 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 gupdate1c98d8abaa6a018;Google Update Service (gupdate1c98d8abaa6a018);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-20 44928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 23:11]

2009-04-07 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 23:25]

2009-03-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-04-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gatewaybiz.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kzv0wh8p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kzv0wh8p.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 20:30:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4118426621-930993679-4286917034-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1264)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\RMSvc.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-06 20:34:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 00:34:23
ComboFix2.txt 2009-04-07 00:20:45
ComboFix3.txt 2009-04-06 22:15:01

Pre-Run: 681,647,534,080 bytes free
Post-Run: 681,624,788,992 bytes free

330 --- E O F --- 2009-04-06 22:27:14

mbam:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/6/2009 8:48:07 PM
mbam-log-2009-04-06 (20-48-07).txt

Scan type: Quick Scan
Objects scanned: 91278
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 06 April 2009 - 08:15 PM

Hello.

No need to attach the logs when you posted them already :)

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and [url=http://en.wikipedia.org/wiki/Proprietary_software][color=red]proprietary software[/co

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 06 April 2009 - 08:16 PM

Hello.

No need to attach the logs when you posted them already :thumbup2:

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.


Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Kaspersky log
-New DDS logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 bdog676

bdog676
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 06 April 2009 - 09:21 PM

Hello.

No need to attach the logs when you posted them already :thumbup2:

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



I want to remove the bad programs and p2p but I'm not sure what all I have that might be vulnerable, as I share this computer with my wife and she seems to install things without my knowledge. Can you list what programs to remove please. Thank you.

~bdog

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 07 April 2009 - 11:56 AM

Hello.

Even using a "safe" P2P program it is not safe since you are sharing with sites/places that you don't know or is unkown.

They might be removed already but if not I strongly suggest you remove it now.

BitLord
LimeWire
BitTorrent


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 bdog676

bdog676
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 07 April 2009 - 11:57 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, April 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, April 07, 2009 14:53:18
Records in database: 2021289
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Files scanned: 140245
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:11:17


File name / Threat name / Threats count
C:\ircN\system\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1

The selected area was scanned.




DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 12:54:35.09 on Tue 04/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2530 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gatewaybiz.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {70DE7956-479D-4EB7-8641-2B45774C350E} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\rocket~1.lnk - c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\transbar.lnk - c:\windows\bricopacks\vista inspirat 2\transbar\TransBar.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\ubericon.lnk - c:\windows\bricopacks\vista inspirat 2\ubericon\UberIcon Manager.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\y'zsha~1.lnk - c:\windows\bricopacks\vista inspirat 2\yzshadow\YzShadow.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231110024546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231110005187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kzv0wh8p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kzv0wh8p.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-30 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-16 201320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-16 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-3-16 144704]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-18 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-16 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-16 35240]
S2 gupdate1c98d8abaa6a018;Google Update Service (gupdate1c98d8abaa6a018);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-16 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-16 40488]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2007-12-20 44928]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-16 695624]

=============== Created Last 30 ================

2009-04-07 09:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-07 09:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-06 19:58 <DIR> a-dshr-- C:\autorun.inf
2009-04-06 18:24 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-04-06 18:03 161,792 a------- c:\windows\SWREG.exe
2009-04-06 18:03 98,816 a------- c:\windows\sed.exe
2009-04-03 12:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-03 12:22 1,409 a------- c:\windows\QTFont.for
2009-03-30 14:46 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-28 16:32 <DIR> --d----- c:\program files\Trend Micro
2009-03-28 15:52 <DIR> --d----- c:\program files\common files\HP
2009-03-28 15:42 164,805 a------- c:\windows\hpoins21.dat
2009-03-28 15:42 7,262 -------- c:\windows\hpomdl21.dat
2009-03-27 10:10 <DIR> --d----- c:\docume~1\owner\applic~1\RetroShare
2009-03-27 10:10 <DIR> --d----- c:\program files\RetroShare
2009-03-24 20:09 <DIR> --d----- c:\program files\Alliance
2009-03-22 12:43 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-22 12:39 61,440 a------- c:\windows\system32\drivers\olsnu.sys
2009-03-22 12:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-22 12:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-22 12:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-16 16:50 12,287 a------- c:\windows\system32\Config.MPF
2009-03-16 16:50 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-16 16:47 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-16 16:47 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-16 16:47 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-16 16:47 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-16 16:47 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-16 16:47 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-16 16:46 <DIR> --d----- c:\program files\McAfee.com
2009-03-16 16:46 <DIR> --d----- c:\program files\common files\McAfee
2009-03-16 16:14 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-16 16:13 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-03-16 16:13 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-03-16 16:13 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-03-30 19:53 96,384 a------- c:\windows\system32\drivers\sptddrv1.sys
2009-03-21 18:22 84,992 a--sh--- c:\windows\system32\hivunote.dll
2009-03-06 20:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-06 20:27 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-12 16:17 1,885,464 a------- c:\windows\system32\AutoPartNt.exe
2009-02-12 16:07 441,760 a------- c:\windows\system32\drivers\timntr.sys
2009-02-12 16:07 44,384 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-02-12 16:07 132,224 a------- c:\windows\system32\drivers\snapman.sys
2009-02-12 16:07 368,480 a------- c:\windows\system32\drivers\tdrpman.sys
2009-02-11 19:55 5,370 a------- c:\windows\BricoPackFoldersDelete.cmd
2009-02-11 19:55 218,624 a------- c:\windows\system32\uxtheme.dll
2009-02-11 19:55 72,066 a------- c:\windows\BricoPackUninst.cmd
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-31 12:59 43,698 a------- c:\windows\system32\xvid-uninstall.exe
2009-01-25 17:10 179,200 a------- c:\windows\system32\xvidvfw.dll
2009-01-08 19:01 629,760 a------- c:\windows\system32\xvidcore.dll
2008-07-03 22:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070320080704\index.dat

============= FINISH: 12:54:52.17 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 07 April 2009 - 12:17 PM

Hello.

Overall with a "quick-look" there doesn't appear to be too be any infections, however I could be wrong.

I need to go right now so I will review it throughly once get back and give you the next set of instruction(s). :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 bdog676

bdog676
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:02 PM

Posted 07 April 2009 - 08:47 PM

I appreciate the help. I am having a new problem, also related to google. As you type in the search box, it offers suggestions. Well as of today, these suggestions are blank but to the side I still see x results. I will take a screen shot to show you better.

Attached File  screen_shot.JPG   185.26KB   14 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users